Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps
A coordinated campaign identified on July 7, 2026, involved 17 malicious packages published simultaneously across the npm and PyPI ecosystems. These packages typosquatted legitimate payment SDKs such as PaySafe, Skrill, and Neteller to steal developer credentials and tokens. The malware uses advanced anti-analysis techniques including sandbox detection based on CPU cores and hostname patterns, multi-layer C2 domain obfuscation with XOR encoding, and selective activation gating. Once executed, the packages exfiltrate environment variables containing sensitive API keys, secrets, tokens, and authentication credentials to AWS-hosted infrastructure via an ngrok endpoint. This campaign reflects a financially motivated, organized threat actor with cross-ecosystem capabilities and operational security awareness.
AI Analysis
Technical Summary
This threat campaign involves malicious packages published simultaneously on npm and PyPI that impersonate popular secure payment SDKs through typosquatting. The malware embedded in these packages employs sophisticated evasion techniques such as sandbox detection and multi-layer command-and-control domain obfuscation using XOR encoding. It selectively activates to avoid detection and exfiltrates sensitive environment variables including API keys and authentication tokens to attacker-controlled infrastructure hosted on AWS and accessed via ngrok tunnels. The campaign demonstrates coordination across multiple package ecosystems and operational security measures, indicating an organized financially motivated adversary. No specific affected software versions are identified, as the threat targets developers who may install these malicious packages.
Potential Impact
The campaign enables theft of developer credentials, API keys, tokens, and authentication secrets by exfiltrating environment variables from compromised development environments. This can lead to unauthorized access to cloud services and other sensitive resources. The use of typosquatting increases the risk of inadvertent installation by developers expecting legitimate payment SDKs. The advanced evasion techniques reduce the likelihood of early detection, increasing potential exposure duration.
Mitigation Recommendations
No official patches or fixes are applicable since this is a supply chain campaign involving malicious packages. Developers and organizations should avoid installing packages from untrusted or suspicious sources, verify package names carefully to avoid typosquatting traps, and monitor for unexpected environment variable exfiltration. Use of package signing, dependency scanning tools, and restricting environment variables in build and deployment pipelines can reduce risk. Since this is not a cloud service vulnerability, remediation depends on user vigilance and supply chain security practices.
Indicators of Compromise
- domain: caliber-spinner-finishing.ngrok-free.dev
- url: https://caliber-spinner-finishing.ngrok-free.dev:443/
- hash: ce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c
- hash: b2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea
- hash: 8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43
- hash: c8b4d17c1f0aa7c50f2fa23d7c328482a4ad2c4da4d600f358ebdf200cbefd83
- hash: 9fd06d823d54183cc91625fdc6decffe8db2863f6499a955656ebdcc089792cf
- hash: 615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369
- hash: 6dc672e3bab8bcf80c66b2f95150067fb47429d4cf65eb95215e5f3abc7cade5
- hash: 4a4b5c1bc1e948c853cb0978c07c7b8d1540c7b1ded95f8d5ad25c126cb6c7b0
- hash: 9727c804c4354e481d2ff9d4934bd1b2518293a9ca34a14f5c7ae9d0cd30ce94
- hash: 313853a82bce61052c00e6a6af85b5069e007a76122c727f31661bc636b12f14
- hash: 2cbfc4e4b1de5e68ab81fba7e1b0c711b4d26197b48ea4db6819c9cea223b0ed
- hash: a0313822513f9b89479f666888a4784a3fc99b4cc4566213dcda66b03b47120c
- hash: 3a0dd3479eaf85b65e5abd63d6451f98506faddee47cf4bebd9f91296abb29f0
- hash: 39371ac7061168dd3d890061267b3875bc4b30dca5e28d40dbc27a4396439ff1
- hash: c51c0b6c7817443b021aff44d4416c09fd039849db81860b9b5144e789fa3987
- hash: 6e251c3d2bde8fff0487c1eecd359c4a544a09fd708755020e4b1c53ad6b8dd1
- hash: cd7255730b6a7a3895d622d37d0e8f984d2d280689acef56ff195d663e7723ad
- hash: 5c4faef80c83c7ec0925a4aacb4bddabe82b91066ac41305907ba277cd7b3b85
- hash: 50cb7550224d8d227a0625e7f53be86924d8e057e403b6b91b83ea20df834048
- hash: 1bae9f2fb9866422f07345501fa2cb4c3a99f2652c8c9decdc27ffbf9714e7bc
- hash: 1df8c579ffcbf5527b1856bd1774601a5188b380e442c5a0fbd400bd86a4501b
- hash: b29973eda4d0c090608c15a976688cad0b2114fdc0dcb89ad37515287ba13aad
- hash: 9e9655f54bfac8a937d78ac506722bae1468ead4cc9ee95b35e0f8ef17ee13d9
- hash: 67e4d6a4f53098e48bfa6ecceeaa754592bc249b83404bcfb8542977ae36dac4
- hash: 1bfa32548676d32b7639d3171e2f9feefba5026dc336968c91f4ae2b152c5410
- hash: 2bc8af4bd2f539630f7800f3491b64c7e2bffe12e955d0d4f03a4f6a4b0018bd
- hash: eae055c5736366811d2a4b1f78ff206486e7f7445040122efbe023ecd2d20bcc
- hash: d4ed2d87942fbefa5d7b7f19fb6f2e9bc293c96bf577bb97ed3ca56185abcf25
- hash: 447484c76a06918d7f6f6c6f95ee2bced6dd2e9b282c6f5b92b2b7c0976381d5
- hash: f43cb68850a2506805d60ff466f54eba331e1cc2a513b329f5121e0c39104418
- hash: 1314fc888ca5b3ea91a04e1f5b63039ffc7fc3832b8d809a28ad549c6f9d4f23
- hash: af66bc2b516d1ef71af9b6ee9f8f5af0a99fed562b34809cd55071b94c2d1304
- hash: b157a66826d27512c3618817fee924e53d14cabb2c4c7f454affde37350f55f0
- hash: 2303a74a5fac917279f1078e03a4bfd6afbb89462f97d7344ed10e6e9e9e92b7
- hash: 5242c5086d75a492d14e474de7c8f34b18ec0a8a9ce6d77eec8675a9572d9d23
- hash: 1d567795a366b9edcfef7f1fa2d398b7cb41890dd3b2f3f1f9803de0cdba0c89
- hash: c2e4483abea830ba8b8230540ace51788d0712bed9006697ddddb9cbf133c151
- hash: 390bca9d70efa42cb792f7f677189821a24527cd4298ab2acb954df0abb5c1c3
- hash: f7d9865ea3874d2b135eeee0aa0d12fc108d89e1dd706e4e40eb7605b76d35ca
- hash: 2b7696575278e6e223cc44553c687e45afd04df7eb32efbf49b39da64b795982
- hash: 2edb3f162f9676196e818d9b795d599ba119a961ffe98c4866351735980d213d
- hash: 727fe9c1dfa39d6590012e0593c9837c628fc2cd22aa0f4e486b7ed1aec02697
- hash: 8a58e3ed713c1c70f421ab56a18cfb6a120c960d227e495b511c2552f25f188b
- hash: 67eb3bd505ebfffbd73fc3ef0b2976c375df732f0bd0496ed6653c3e2be5a0e5
- hash: 616b41657e9afaa9354fc1a106393373dcbf8aac8455b7d2cbbb44463434528e
- hash: 52a57c502e40b3f9897d0ca32bba6f844b4113f5c017627ea9eba660eb47f405
- hash: d1889d81cfa99d52017732da9dc52127d03893037874c8671943cede4b8d1bb2
- hash: a677c02e545941e43f8b21a5761b035e911b53e2c065fea219e0f3462f282fd8
- hash: e076e13a7e112d364f03bd1ead7abaa83249d544491621254860ab0a73adc9b9
- hash: c2a69a33b086364ca51b030b6b15e99be46ce8255ddf62839a4fc7f2b34023de
- hash: 5cd62e708ae4393c99579ec1433571998299bf7e2fde9bafeb9a79f8bdf065e9
- hash: 61b61dd25cd8dcc43cd78418f3e3eb3fd9002d9e49961eefb12c1022ce4c3b63
- hash: c6af37a6739f0d919ab7049caf3a85831cab44bdbea27e0d9de7adec80334e2b
- hash: b04daeacd1d1c9020cce2a97fa7af83dbedf4e6d17dd12c0f337f32240399785
- hash: dabb47d75f2efa6a5540661484efa989ccb338f24938b23152f14f3e424b0cb5
- hash: c2a361a7d8feb95be97c957fc7652d348f4fa9a987bde5f09883f46b65c460f1
Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps
Description
A coordinated campaign identified on July 7, 2026, involved 17 malicious packages published simultaneously across the npm and PyPI ecosystems. These packages typosquatted legitimate payment SDKs such as PaySafe, Skrill, and Neteller to steal developer credentials and tokens. The malware uses advanced anti-analysis techniques including sandbox detection based on CPU cores and hostname patterns, multi-layer C2 domain obfuscation with XOR encoding, and selective activation gating. Once executed, the packages exfiltrate environment variables containing sensitive API keys, secrets, tokens, and authentication credentials to AWS-hosted infrastructure via an ngrok endpoint. This campaign reflects a financially motivated, organized threat actor with cross-ecosystem capabilities and operational security awareness.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat campaign involves malicious packages published simultaneously on npm and PyPI that impersonate popular secure payment SDKs through typosquatting. The malware embedded in these packages employs sophisticated evasion techniques such as sandbox detection and multi-layer command-and-control domain obfuscation using XOR encoding. It selectively activates to avoid detection and exfiltrates sensitive environment variables including API keys and authentication tokens to attacker-controlled infrastructure hosted on AWS and accessed via ngrok tunnels. The campaign demonstrates coordination across multiple package ecosystems and operational security measures, indicating an organized financially motivated adversary. No specific affected software versions are identified, as the threat targets developers who may install these malicious packages.
Potential Impact
The campaign enables theft of developer credentials, API keys, tokens, and authentication secrets by exfiltrating environment variables from compromised development environments. This can lead to unauthorized access to cloud services and other sensitive resources. The use of typosquatting increases the risk of inadvertent installation by developers expecting legitimate payment SDKs. The advanced evasion techniques reduce the likelihood of early detection, increasing potential exposure duration.
Mitigation Recommendations
No official patches or fixes are applicable since this is a supply chain campaign involving malicious packages. Developers and organizations should avoid installing packages from untrusted or suspicious sources, verify package names carefully to avoid typosquatting traps, and monitor for unexpected environment variable exfiltration. Use of package signing, dependency scanning tools, and restricting environment variables in build and deployment pipelines can reduce risk. Since this is not a cloud service vulnerability, remediation depends on user vigilance and supply chain security practices.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/npm-pypi-campaign-typosquats-popular-secure-payment-apps"]
- Adversary
- null
- Pulse Id
- 6a4d89817cfad2c0f464e67a
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaincaliber-spinner-finishing.ngrok-free.dev | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://caliber-spinner-finishing.ngrok-free.dev:443/ | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c | — | |
hashb2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea | — | |
hash8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43 | — | |
hashc8b4d17c1f0aa7c50f2fa23d7c328482a4ad2c4da4d600f358ebdf200cbefd83 | — | |
hash9fd06d823d54183cc91625fdc6decffe8db2863f6499a955656ebdcc089792cf | — | |
hash615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369 | — | |
hash6dc672e3bab8bcf80c66b2f95150067fb47429d4cf65eb95215e5f3abc7cade5 | — | |
hash4a4b5c1bc1e948c853cb0978c07c7b8d1540c7b1ded95f8d5ad25c126cb6c7b0 | — | |
hash9727c804c4354e481d2ff9d4934bd1b2518293a9ca34a14f5c7ae9d0cd30ce94 | — | |
hash313853a82bce61052c00e6a6af85b5069e007a76122c727f31661bc636b12f14 | — | |
hash2cbfc4e4b1de5e68ab81fba7e1b0c711b4d26197b48ea4db6819c9cea223b0ed | — | |
hasha0313822513f9b89479f666888a4784a3fc99b4cc4566213dcda66b03b47120c | — | |
hash3a0dd3479eaf85b65e5abd63d6451f98506faddee47cf4bebd9f91296abb29f0 | — | |
hash39371ac7061168dd3d890061267b3875bc4b30dca5e28d40dbc27a4396439ff1 | — | |
hashc51c0b6c7817443b021aff44d4416c09fd039849db81860b9b5144e789fa3987 | — | |
hash6e251c3d2bde8fff0487c1eecd359c4a544a09fd708755020e4b1c53ad6b8dd1 | — | |
hashcd7255730b6a7a3895d622d37d0e8f984d2d280689acef56ff195d663e7723ad | — | |
hash5c4faef80c83c7ec0925a4aacb4bddabe82b91066ac41305907ba277cd7b3b85 | — | |
hash50cb7550224d8d227a0625e7f53be86924d8e057e403b6b91b83ea20df834048 | — | |
hash1bae9f2fb9866422f07345501fa2cb4c3a99f2652c8c9decdc27ffbf9714e7bc | — | |
hash1df8c579ffcbf5527b1856bd1774601a5188b380e442c5a0fbd400bd86a4501b | — | |
hashb29973eda4d0c090608c15a976688cad0b2114fdc0dcb89ad37515287ba13aad | — | |
hash9e9655f54bfac8a937d78ac506722bae1468ead4cc9ee95b35e0f8ef17ee13d9 | — | |
hash67e4d6a4f53098e48bfa6ecceeaa754592bc249b83404bcfb8542977ae36dac4 | — | |
hash1bfa32548676d32b7639d3171e2f9feefba5026dc336968c91f4ae2b152c5410 | — | |
hash2bc8af4bd2f539630f7800f3491b64c7e2bffe12e955d0d4f03a4f6a4b0018bd | — | |
hasheae055c5736366811d2a4b1f78ff206486e7f7445040122efbe023ecd2d20bcc | — | |
hashd4ed2d87942fbefa5d7b7f19fb6f2e9bc293c96bf577bb97ed3ca56185abcf25 | — | |
hash447484c76a06918d7f6f6c6f95ee2bced6dd2e9b282c6f5b92b2b7c0976381d5 | — | |
hashf43cb68850a2506805d60ff466f54eba331e1cc2a513b329f5121e0c39104418 | — | |
hash1314fc888ca5b3ea91a04e1f5b63039ffc7fc3832b8d809a28ad549c6f9d4f23 | — | |
hashaf66bc2b516d1ef71af9b6ee9f8f5af0a99fed562b34809cd55071b94c2d1304 | — | |
hashb157a66826d27512c3618817fee924e53d14cabb2c4c7f454affde37350f55f0 | — | |
hash2303a74a5fac917279f1078e03a4bfd6afbb89462f97d7344ed10e6e9e9e92b7 | — | |
hash5242c5086d75a492d14e474de7c8f34b18ec0a8a9ce6d77eec8675a9572d9d23 | — | |
hash1d567795a366b9edcfef7f1fa2d398b7cb41890dd3b2f3f1f9803de0cdba0c89 | — | |
hashc2e4483abea830ba8b8230540ace51788d0712bed9006697ddddb9cbf133c151 | — | |
hash390bca9d70efa42cb792f7f677189821a24527cd4298ab2acb954df0abb5c1c3 | — | |
hashf7d9865ea3874d2b135eeee0aa0d12fc108d89e1dd706e4e40eb7605b76d35ca | — | |
hash2b7696575278e6e223cc44553c687e45afd04df7eb32efbf49b39da64b795982 | — | |
hash2edb3f162f9676196e818d9b795d599ba119a961ffe98c4866351735980d213d | — | |
hash727fe9c1dfa39d6590012e0593c9837c628fc2cd22aa0f4e486b7ed1aec02697 | — | |
hash8a58e3ed713c1c70f421ab56a18cfb6a120c960d227e495b511c2552f25f188b | — | |
hash67eb3bd505ebfffbd73fc3ef0b2976c375df732f0bd0496ed6653c3e2be5a0e5 | — | |
hash616b41657e9afaa9354fc1a106393373dcbf8aac8455b7d2cbbb44463434528e | — | |
hash52a57c502e40b3f9897d0ca32bba6f844b4113f5c017627ea9eba660eb47f405 | — | |
hashd1889d81cfa99d52017732da9dc52127d03893037874c8671943cede4b8d1bb2 | — | |
hasha677c02e545941e43f8b21a5761b035e911b53e2c065fea219e0f3462f282fd8 | — | |
hashe076e13a7e112d364f03bd1ead7abaa83249d544491621254860ab0a73adc9b9 | — | |
hashc2a69a33b086364ca51b030b6b15e99be46ce8255ddf62839a4fc7f2b34023de | — | |
hash5cd62e708ae4393c99579ec1433571998299bf7e2fde9bafeb9a79f8bdf065e9 | — | |
hash61b61dd25cd8dcc43cd78418f3e3eb3fd9002d9e49961eefb12c1022ce4c3b63 | — | |
hashc6af37a6739f0d919ab7049caf3a85831cab44bdbea27e0d9de7adec80334e2b | — | |
hashb04daeacd1d1c9020cce2a97fa7af83dbedf4e6d17dd12c0f337f32240399785 | — | |
hashdabb47d75f2efa6a5540661484efa989ccb338f24938b23152f14f3e424b0cb5 | — | |
hashc2a361a7d8feb95be97c957fc7652d348f4fa9a987bde5f09883f46b65c460f1 | — |
Threat ID: 6a4f86cf68715ace433d716b
Added to database: 07/09/2026, 11:32:31 UTC
Last enriched: 07/09/2026, 11:47:32 UTC
Last updated: 07/10/2026, 01:43:07 UTC
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.