registry  /  skrill-sdk  /  1.0.0

skrill-sdk@1.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10544 confirms this npm version as malicious. Package publishes as `skrill-sdk` and exposes a `PaysafeClient` API (payments.create/get, customers.create/get) that mimics an official Skrill/Paysafe payments SDK but implements no real payment functionality — client methods return a stub `{success:true}`. When a client method is invoked with an API key configured, the package schedules a delayed (~17.8s) exfiltration that collects the machine hostname, username,...

Advisory
MAL-2026-10544
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in skrill-sdk (npm)
Details
Package publishes as `skrill-sdk` and exposes a `PaysafeClient` API (payments.create/get, customers.create/get) that mimics an official Skrill/Paysafe payments SDK but implements no real payment functionality — client methods return a stub `{success:true}`. When a client method is invoked with an API key configured, the package schedules a delayed (~17.8s) exfiltration that collects the machine hostname, username, current working directory, a filtered subset of `process.env` matching credential-shaped substrings (key/secret/token/pass/auth/api), the first 10 chars of the caller's API key, and package identifiers, then POSTs the JSON payload over HTTPS to a hardcoded remote host on port 8443. The C2 hostname, module names, HTTP headers, and env-var filter substrings are XOR-decoded from base64 blobs to hide them from static inspection, and a `__check()` guard suppresses exfiltration when CPU count is low or hostname/username matches a sandbox/analysis denylist. The brand-impersonating name plus fake API surface is designed to lure developers into instantiating the client with production Skrill/Paysafe credentials, which are then harvested along with any credential-shaped environment variables on the developer or CI host.
Decision reason
OpenSSF Malicious Packages via OSV confirms skrill-sdk@1.0.0 as malicious (MAL-2026-10544): Malicious code in skrill-sdk (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory