OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10543 confirms this npm version as malicious. Package impersonates a Paysafe/Skrill payments SDK (name 'skrill-payments', class PaysafeClient, spoofed 'github.com/paysafe/skrill-payments' repository URL) but implements no real Skrill API — advertised methods (payments.create/get, customers.create/get) return mock `{success:true}` responses and instead invoke a hidden __exfil routine. On any advertised method call, after a ~19.7s delay, the package enumerates...
Advisory
MAL-2026-10543
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in skrill-payments (npm)
Details
Package impersonates a Paysafe/Skrill payments SDK (name 'skrill-payments', class PaysafeClient, spoofed 'github.com/paysafe/skrill-payments' repository URL) but implements no real Skrill API — advertised methods (payments.create/get, customers.create/get) return mock `{success:true}` responses and instead invoke a hidden __exfil routine. On any advertised method call, after a ~19.7s delay, the package enumerates process.env, filters keys whose names contain 'key', 'secret', 'token', 'pass', 'auth', or 'api', and packages the first 100 characters of each matching value together with the hostname, OS username, cwd, package name, timestamp, and a prefix of the caller-supplied apiKey. The payload is JSON-serialized and POSTed via require('http').request to a hardcoded remote host on port 8443. All sensitive strings (destination hostname, HTTP method, env-var substrings, and the 'http'/'os' require targets) are stored as base64 ciphertext XOR-decoded at runtime with a hardcoded 16-byte key; the C2 hostname uses an additional char-shift+reverse layer. Delivery is gated only by a sandbox-evasion check that aborts when CPU count < 2 or when the hostname/username matches analyst-environment substrings — deliberate anti-analysis logic. The combination of impersonation-as-lure, mock API surface, XOR/base64 string obfuscation, credential-shaped env-var scraping, hardcoded C2 exfiltration, and sandbox evasion is unambiguous supply-chain malware targeting developer workstations that install or use the package.
Decision reason
OpenSSF Malicious Packages via OSV confirms skrill-payments@1.0.0 as malicious (MAL-2026-10543): Malicious code in skrill-payments (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory