Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps
17 npm and PyPI packages typosquatting payment SDKs steal API keys and credentials via ngrok C2.
Summary
Socket detected a coordinated malware campaign on July 7, 2026 targeting developers using PaySafe, Skrill, and Neteller payment applications. The attackers published 13 npm packages and 4 PyPI packages with names mimicking legitimate SDKs, each containing credential-stealing malware that harvested API keys, tokens, and secrets from environment variables and exfiltrated them to an ngrok-hosted command-and-control server. The malware employed obfuscation, sandbox evasion, and multi-ecosystem targeting to evade detection.
Full text
Security NewsNode.js Considers Public Workflow for Security Reports Amid AI-Driven SurgeNode.js is debating whether AI-driven security report volume warrants moving more vulnerability reports into public workflows.By Sarah Gooding - Jul 06, 2026
Indicators of Compromise
- domain — caliber-spinner-finishing.ngrok-free.dev
- hash_sha256 — ce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c
- hash_sha256 — b2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea
- hash_sha256 — 8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43
- hash_sha256 — c6af37a6739f0d919ab7049caf3a85831cab44bdbea27e0d9de7adec80334e2b
- hash_sha256 — b04daeacd1d1c9020cce2a97fa7af83dbedf4e6d17dd12c0f337f32240399785