npm

skrill-payments @1.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC

Malicious

OSV ID

MAL-2026-10543

Ecosystem

npm

Summary

Package impersonates a Paysafe/Skrill payments SDK (name 'skrill-payments', class PaysafeClient, spoofed 'github.com/paysafe/skrill-payments' repository URL) but implements no real Skrill API — advertised methods (payments.create/get, customers.create/get) return mock {success:true} responses and instead invoke a hidden __exfil routine. On any advertised method call, after a ~19.7s delay, the package enumerates process.env, filters keys whose names contain 'key', 'secret', 'token', 'pass', 'auth', or 'api', and packages the first 100 characters of each matching value together with the hostname, OS username, cwd, package name, timestamp, and a prefix of the caller-supplied apiKey. The payload is JSON-serialized and POSTed via require('http').request to a hardcoded remote host on port 8443. All sensitive strings (destination hostname, HTTP method, env-var substrings, and the 'http'/'os' require targets) are stored as base64 ciphertext XOR-decoded at runtime with a hardcoded 16-byte key; the C2 hostname uses an additional char-shift+reverse layer. Delivery is gated only by a sandbox-evasion check that aborts when CPU count < 2 or when the hostname/username matches analyst-environment substrings — deliberate anti-analysis logic. The combination of impersonation-as-lure, mock API surface, XOR/base64 string obfuscation, credential-shaped env-var scraping, hardcoded C2 exfiltration, and sandbox evasion is unambiguous supply-chain malware targeting developer workstations that install or use the package.

Source: amazon-inspector (3e517423e768b0086d0579e460801e0b14cb6e6751a810b23bd9f41954d92779)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.