Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps

0
Medium
Published: 07/07/2026 (07/07/2026, 23:19:29 UTC)
Source: AlienVault OTX General

Description

A coordinated campaign identified on July 7, 2026, involved 17 malicious packages published simultaneously across the npm and PyPI ecosystems. These packages typosquatted legitimate payment SDKs such as PaySafe, Skrill, and Neteller to steal developer credentials and tokens. The malware uses advanced anti-analysis techniques including sandbox detection based on CPU cores and hostname patterns, multi-layer C2 domain obfuscation with XOR encoding, and selective activation gating. Once executed, the packages exfiltrate environment variables containing sensitive API keys, secrets, tokens, and authentication credentials to AWS-hosted infrastructure via an ngrok endpoint. This campaign reflects a financially motivated, organized threat actor with cross-ecosystem capabilities and operational security awareness.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/09/2026, 11:47:32 UTC

Technical Analysis

This threat campaign involves malicious packages published simultaneously on npm and PyPI that impersonate popular secure payment SDKs through typosquatting. The malware embedded in these packages employs sophisticated evasion techniques such as sandbox detection and multi-layer command-and-control domain obfuscation using XOR encoding. It selectively activates to avoid detection and exfiltrates sensitive environment variables including API keys and authentication tokens to attacker-controlled infrastructure hosted on AWS and accessed via ngrok tunnels. The campaign demonstrates coordination across multiple package ecosystems and operational security measures, indicating an organized financially motivated adversary. No specific affected software versions are identified, as the threat targets developers who may install these malicious packages.

Potential Impact

The campaign enables theft of developer credentials, API keys, tokens, and authentication secrets by exfiltrating environment variables from compromised development environments. This can lead to unauthorized access to cloud services and other sensitive resources. The use of typosquatting increases the risk of inadvertent installation by developers expecting legitimate payment SDKs. The advanced evasion techniques reduce the likelihood of early detection, increasing potential exposure duration.

Mitigation Recommendations

No official patches or fixes are applicable since this is a supply chain campaign involving malicious packages. Developers and organizations should avoid installing packages from untrusted or suspicious sources, verify package names carefully to avoid typosquatting traps, and monitor for unexpected environment variable exfiltration. Use of package signing, dependency scanning tools, and restricting environment variables in build and deployment pipelines can reduce risk. Since this is not a cloud service vulnerability, remediation depends on user vigilance and supply chain security practices.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://socket.dev/blog/npm-pypi-campaign-typosquats-popular-secure-payment-apps"]
Adversary
null
Pulse Id
6a4d89817cfad2c0f464e67a
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domaincaliber-spinner-finishing.ngrok-free.dev

Url

ValueDescriptionCopy
urlhttps://caliber-spinner-finishing.ngrok-free.dev:443/

Hash

ValueDescriptionCopy
hashce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c
hashb2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea
hash8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43
hashc8b4d17c1f0aa7c50f2fa23d7c328482a4ad2c4da4d600f358ebdf200cbefd83
hash9fd06d823d54183cc91625fdc6decffe8db2863f6499a955656ebdcc089792cf
hash615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369
hash6dc672e3bab8bcf80c66b2f95150067fb47429d4cf65eb95215e5f3abc7cade5
hash4a4b5c1bc1e948c853cb0978c07c7b8d1540c7b1ded95f8d5ad25c126cb6c7b0
hash9727c804c4354e481d2ff9d4934bd1b2518293a9ca34a14f5c7ae9d0cd30ce94
hash313853a82bce61052c00e6a6af85b5069e007a76122c727f31661bc636b12f14
hash2cbfc4e4b1de5e68ab81fba7e1b0c711b4d26197b48ea4db6819c9cea223b0ed
hasha0313822513f9b89479f666888a4784a3fc99b4cc4566213dcda66b03b47120c
hash3a0dd3479eaf85b65e5abd63d6451f98506faddee47cf4bebd9f91296abb29f0
hash39371ac7061168dd3d890061267b3875bc4b30dca5e28d40dbc27a4396439ff1
hashc51c0b6c7817443b021aff44d4416c09fd039849db81860b9b5144e789fa3987
hash6e251c3d2bde8fff0487c1eecd359c4a544a09fd708755020e4b1c53ad6b8dd1
hashcd7255730b6a7a3895d622d37d0e8f984d2d280689acef56ff195d663e7723ad
hash5c4faef80c83c7ec0925a4aacb4bddabe82b91066ac41305907ba277cd7b3b85
hash50cb7550224d8d227a0625e7f53be86924d8e057e403b6b91b83ea20df834048
hash1bae9f2fb9866422f07345501fa2cb4c3a99f2652c8c9decdc27ffbf9714e7bc
hash1df8c579ffcbf5527b1856bd1774601a5188b380e442c5a0fbd400bd86a4501b
hashb29973eda4d0c090608c15a976688cad0b2114fdc0dcb89ad37515287ba13aad
hash9e9655f54bfac8a937d78ac506722bae1468ead4cc9ee95b35e0f8ef17ee13d9
hash67e4d6a4f53098e48bfa6ecceeaa754592bc249b83404bcfb8542977ae36dac4
hash1bfa32548676d32b7639d3171e2f9feefba5026dc336968c91f4ae2b152c5410
hash2bc8af4bd2f539630f7800f3491b64c7e2bffe12e955d0d4f03a4f6a4b0018bd
hasheae055c5736366811d2a4b1f78ff206486e7f7445040122efbe023ecd2d20bcc
hashd4ed2d87942fbefa5d7b7f19fb6f2e9bc293c96bf577bb97ed3ca56185abcf25
hash447484c76a06918d7f6f6c6f95ee2bced6dd2e9b282c6f5b92b2b7c0976381d5
hashf43cb68850a2506805d60ff466f54eba331e1cc2a513b329f5121e0c39104418
hash1314fc888ca5b3ea91a04e1f5b63039ffc7fc3832b8d809a28ad549c6f9d4f23
hashaf66bc2b516d1ef71af9b6ee9f8f5af0a99fed562b34809cd55071b94c2d1304
hashb157a66826d27512c3618817fee924e53d14cabb2c4c7f454affde37350f55f0
hash2303a74a5fac917279f1078e03a4bfd6afbb89462f97d7344ed10e6e9e9e92b7
hash5242c5086d75a492d14e474de7c8f34b18ec0a8a9ce6d77eec8675a9572d9d23
hash1d567795a366b9edcfef7f1fa2d398b7cb41890dd3b2f3f1f9803de0cdba0c89
hashc2e4483abea830ba8b8230540ace51788d0712bed9006697ddddb9cbf133c151
hash390bca9d70efa42cb792f7f677189821a24527cd4298ab2acb954df0abb5c1c3
hashf7d9865ea3874d2b135eeee0aa0d12fc108d89e1dd706e4e40eb7605b76d35ca
hash2b7696575278e6e223cc44553c687e45afd04df7eb32efbf49b39da64b795982
hash2edb3f162f9676196e818d9b795d599ba119a961ffe98c4866351735980d213d
hash727fe9c1dfa39d6590012e0593c9837c628fc2cd22aa0f4e486b7ed1aec02697
hash8a58e3ed713c1c70f421ab56a18cfb6a120c960d227e495b511c2552f25f188b
hash67eb3bd505ebfffbd73fc3ef0b2976c375df732f0bd0496ed6653c3e2be5a0e5
hash616b41657e9afaa9354fc1a106393373dcbf8aac8455b7d2cbbb44463434528e
hash52a57c502e40b3f9897d0ca32bba6f844b4113f5c017627ea9eba660eb47f405
hashd1889d81cfa99d52017732da9dc52127d03893037874c8671943cede4b8d1bb2
hasha677c02e545941e43f8b21a5761b035e911b53e2c065fea219e0f3462f282fd8
hashe076e13a7e112d364f03bd1ead7abaa83249d544491621254860ab0a73adc9b9
hashc2a69a33b086364ca51b030b6b15e99be46ce8255ddf62839a4fc7f2b34023de
hash5cd62e708ae4393c99579ec1433571998299bf7e2fde9bafeb9a79f8bdf065e9
hash61b61dd25cd8dcc43cd78418f3e3eb3fd9002d9e49961eefb12c1022ce4c3b63
hashc6af37a6739f0d919ab7049caf3a85831cab44bdbea27e0d9de7adec80334e2b
hashb04daeacd1d1c9020cce2a97fa7af83dbedf4e6d17dd12c0f337f32240399785
hashdabb47d75f2efa6a5540661484efa989ccb338f24938b23152f14f3e424b0cb5
hashc2a361a7d8feb95be97c957fc7652d348f4fa9a987bde5f09883f46b65c460f1

Threat ID: 6a4f86cf68715ace433d716b

Added to database: 07/09/2026, 11:32:31 UTC

Last enriched: 07/09/2026, 11:47:32 UTC

Last updated: 07/10/2026, 01:43:07 UTC

Views: 15

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses