MAL-2026-10544
Malicious code in skrill-sdk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (61b89b04fbb6a34ea37a855c5ee938aa6c4f91cc2e79d9880d14436a09b2e8a5) Package publishes as `skrill-sdk` and exposes a `PaysafeClient` API (payments.create/get, customers.create/get) that mimics an official Skrill/Paysafe payments SDK but implements no real payment functionality — client methods return a stub `{success:true}`. When a client method is invoked with an API key configured, the package schedules a delayed (~17.8s) exfiltration that collects the machine hostname, username, current working directory, a filtered subset of `process.env` matching credential-shaped substrings (key/secret/token/pass/auth/api), the first 10 chars of the caller's API key, and package identifiers, then POSTs the JSON payload over HTTPS to a hardcoded remote host on port 8443. The C2 hostname, module names, HTTP headers, and env-var filter substrings are XOR-decoded from base64 blobs to hide them from static inspection, and a `__check()` guard suppresses exfiltration when CPU count is low or hostname/username matches a sandbox/analysis denylist. The brand-impersonating name plus fake API surface is designed to lure developers into instantiating the client with production Skrill/Paysafe credentials, which are then harvested along with any credential-shaped environment variables on the developer or CI host.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for skrill-sdk (npm). Pin to a known-safe version or switch to an alternative.