Back to Feed
Supply ChainJul 7, 2026

Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps

17 npm and PyPI packages typosquatting payment SDKs steal API keys and credentials via ngrok C2.

Summary

Socket detected a coordinated malware campaign on July 7, 2026 targeting developers using PaySafe, Skrill, and Neteller payment applications. The attackers published 13 npm packages and 4 PyPI packages with names mimicking legitimate SDKs, each containing credential-stealing malware that harvested API keys, tokens, and secrets from environment variables and exfiltrated them to an ngrok-hosted command-and-control server. The malware employed obfuscation, sandbox evasion, and multi-ecosystem targeting to evade detection.

Full text

Security NewsNode.js Considers Public Workflow for Security Reports Amid AI-Driven SurgeNode.js is debating whether AI-driven security report volume warrants moving more vulnerability reports into public workflows.By Sarah Gooding - Jul 06, 2026

Indicators of Compromise

  • domain — caliber-spinner-finishing.ngrok-free.dev
  • hash_sha256 — ce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c
  • hash_sha256 — b2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea
  • hash_sha256 — 8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43
  • hash_sha256 — c6af37a6739f0d919ab7049caf3a85831cab44bdbea27e0d9de7adec80334e2b
  • hash_sha256 — b04daeacd1d1c9020cce2a97fa7af83dbedf4e6d17dd12c0f337f32240399785

Entities

npm (product)PyPI (product)PaySafe SDK (product)Skrill SDK (product)Neteller SDK (product)Socket (vendor)