skrill-sdk @1.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC
OSV ID
MAL-2026-10544
Ecosystem
npm
Summary
Package publishes as skrill-sdk and exposes a PaysafeClient API (payments.create/get, customers.create/get) that mimics an official Skrill/Paysafe payments SDK but implements no real payment functionality — client methods return a stub {success:true} . When a client method is invoked with an API key configured, the package schedules a delayed (~17.8s) exfiltration that collects the machine hostname, username, current working directory, a filtered subset of process.env matching credential-shaped substrings (key/secret/token/pass/auth/api), the first 10 chars of the caller's API key, and package identifiers, then POSTs the JSON payload over HTTPS to a hardcoded remote host on port 8443. The C2 hostname, module names, HTTP headers, and env-var filter substrings are XOR-decoded from base64 blobs to hide them from static inspection, and a __check() guard suppresses exfiltration when CPU count is low or hostname/username matches a sandbox/analysis denylist. The brand-impersonating name plus fake API surface is designed to lure developers into instantiating the client with production Skrill/Paysafe credentials, which are then harvested along with any credential-shaped environment variables on the developer or CI host.
Source: amazon-inspector (61b89b04fbb6a34ea37a855c5ee938aa6c4f91cc2e79d9880d14436a09b2e8a5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.