MAL-2026-10542

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/skrill/MAL-2026-10542.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10542
Published
2026-07-14T03:38:02Z
Modified
2026-07-14T04:46:58.943913166Z
Summary
Malicious code in skrill (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7d4219c6698feb94554982491eef6e0cc533353d46c42e4a7c8679ace1264602)

Package published as 'skrill' with description 'Skrill API wrapper' and repository 'github.com/paysafe/skrill' impersonates the Skrill (Paysafe) payments SDK. It exports a PaysafeClient class whose payments.create/get and customers.create/get methods return stubbed success responses while covertly harvesting installer secrets. On any method invocation the code enumerates process.env, filters keys by credential-shaped substrings ('KEY', 'SECRET', 'TOKEN', etc.), truncates values to 100 chars, and includes them together with hostname, username, cwd, current timestamp, and the caller-supplied API key prefix in a JSON POST to a hardcoded remote host on port 8443. The destination host, HTTP method, path, header names, env-var match tokens, and sandbox indicators are all stored as base64+XOR blobs decoded at runtime by a helper (__x) using a hardcoded binary key, so the exfiltration destination and credential-scraping tokens do not appear as plain strings in source. Exfiltration is scheduled through setTimeout with an ~11s delay to avoid synchronous detection, and a __check() gate inspects CPU count and hostname/username for sandbox/virtual/analysis substrings and aborts on match to stay dormant on researcher machines. Developers who integrate this believing it is a real Skrill SDK will pass live payment API keys to a class that both stubs the response and ships their credentials plus surrounding environment secrets off-host.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-14T03:38:02Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "7d4219c6698feb94554982491eef6e0cc533353d46c42e4a7c8679ace1264602",
            "import_time": "2026-07-14T04:31:59.679590383Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010376"
        }
    ]
}
References
Credits

Affected packages

npm / skrill

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "79e06823cba1896304b413519c644342f2229f1f48209c0b33fb001c83f22a31ddab18",
            "sha256": "289f0a8d67ddc0742e67ced11fa62dc93bdbef3b492fa859d7d537a9f154c33b",
            "path": "package.json"
        },
        {
            "tlsh": "8d614131b3eda43776904fe54cb58005985e59413e01f397b6ac78cf5e63a9282ea83c",
            "sha256": "5cd62e708ae4393c99579ec1433571998299bf7e2fde9bafeb9a79f8bdf065e9",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "5c4d51c080ef55686b5b288d374823b36c3f1348",
                "sha512_sri": "sha512-AgKS+VLB2PGqQl7suQVxVDpSW4mtMj9hd0ohGXZYkJ/zpRfd5tHPD7TYRfVj+yzC4CccyYVamjXAgBcrhE/Q7A=="
            },
            "filename": "skrill-1.0.0.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/skrill/MAL-2026-10542.json"