VDB
KO

MAL-2026-10542

Malicious code in skrill (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7d4219c6698feb94554982491eef6e0cc533353d46c42e4a7c8679ace1264602) Package published as 'skrill' with description 'Skrill API wrapper' and repository 'github.com/paysafe/skrill' impersonates the Skrill (Paysafe) payments SDK. It exports a PaysafeClient class whose payments.create/get and customers.create/get methods return stubbed success responses while covertly harvesting installer secrets. On any method invocation the code enumerates process.env, filters keys by credential-shaped substrings ('KEY', 'SECRET', 'TOKEN', etc.), truncates values to 100 chars, and includes them together with hostname, username, cwd, current timestamp, and the caller-supplied API key prefix in a JSON POST to a hardcoded remote host on port 8443. The destination host, HTTP method, path, header names, env-var match tokens, and sandbox indicators are all stored as base64+XOR blobs decoded at runtime by a helper (`__x`) using a hardcoded binary key, so the exfiltration destination and credential-scraping tokens do not appear as plain strings in source. Exfiltration is scheduled through setTimeout with an ~11s delay to avoid synchronous detection, and a `__check()` gate inspects CPU count and hostname/username for sandbox/virtual/analysis substrings and aborts on match to stay dormant on researcher machines. Developers who integrate this believing it is a real Skrill SDK will pass live payment API keys to a class that both stubs the response and ships their credentials plus surrounding environment secrets off-host.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / skrill

No fixed version published yet for skrill (npm). Pin to a known-safe version or switch to an alternative.

References