Back to Intelligence

Multi-Ecosystem Supply Chain Attack: npm & PyPI Typosquatting Campaign Targeting Payment SDKs

SA
Security Arsenal Team
July 9, 2026
5 min read

Threat Summary

AlienVault OTX has detected a coordinated supply chain attack targeting the software development lifecycle. On July 7, 2026, adversaries published 17 malicious packages simultaneously across the npm (JavaScript) and PyPI (Python) ecosystems. The campaign utilizes typosquatting techniques to impersonate popular payment SDKs, specifically mimicking PaySafe, Skrill, and Neteller.

The primary objective of this campaign is the theft of developer credentials and authentication tokens. Upon installation, the malware performs sophisticated environment checks to evade analysis before establishing a Command and Control (C2) channel via ngrok tunnels to exfiltrate sensitive data.

Threat Actor / Malware Profile

  • Adversary: Unknown (Suspected financially motivated cybercrime group).
  • Malware Type: Information Stealer (Infostealer) / Token Exfiltration Tool.
  • Distribution Method: Typosquatting on public package repositories (npm and PyPI). Packages are named to closely resemble legitimate financial SDKs.
  • Payload Behavior:
    • Credential Harvesting: Scans for developer tokens, environment variables (.env), and configuration files containing API keys.
    • Sandbox Evasion: Implements anti-analysis techniques, checking CPU core counts and hostname patterns to determine if it is running in a sandbox or research environment.
  • C2 Communication: Uses Ngrok tunnels to mask the destination infrastructure. The specific C2 domain caliber-spinner-finishing.ngrok-free.dev was observed facilitating data exfiltration over port 443 (HTTPS).

IOC Analysis

The provided IOCs include 6 SHA256 file hashes and 1 network domain. These indicators are critical for identifying compromised environments.

  • File Hashes (SHA256): Correspond to the malicious package artifacts. These should be used to scan node_modules folders in JavaScript projects and site-packages in Python environments.
  • Domain (caliber-spinner-finishing.ngrok-free.dev): A free Ngrok subdomain used for C2. While Ngrok is a legitimate tool for developers, the .ngrok-free.dev TLD is frequently abused in malware for its lack of reputation and ease of provisioning.

Operational Guidance:

  • Block the entire *.ngrok-free.dev domain at the network perimeter if policy permits, or specifically alert on egress traffic to these domains.
  • Use EDR tools to scan for the specific file hashes.
  • Inspect package-lock. and yarn.lock (npm) or pipfile.lock (Python) for the presence of the typosquatted package names (variations of paysafe, skrill, neteller).

Detection Engineering

The following detection logic is derived from the TTPs observed in the OTX pulse: suspicious network connections to Ngrok free domains and the presence of known malicious file hashes.

YAML
---
title: Potential C2 Connection to Ngrok Free Domain
id: 95c88a2b-8774-4b0c-9e44-1b8b5d7f1a0d
description: Detects outbound connections to known free Ngrok domains often used for C2 infrastructure in dev supply chain attacks.
status: experimental
date: 2026/07/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/123456789 # Placeholder for actual pulse URL
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|endswith: '.ngrok-free.dev'
    filter_legit:
        DestinationHostname|contains: 'internal-app' # Example whitelist logic
    condition: selection and not filter_legit
falsepositives:
    - Legitimate use of Ngrok by developers (should be reviewed)
level: high
---
title: Malicious npm/PyPI Supply Chain Artifacts
id: a4b1c2d3-e4f5-4a5b-8c6d-7e8f9a0b1c2d
description: Detects the presence of specific file hashes associated with the July 2026 Payment SDK typosquatting campaign.
status: experimental
date: 2026/07/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/123456789
logsource:
    product: windows
    definition: 'File creation or hash modification events'
detection:
    selection:
        Hashes|contains:
            - 'ce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c'
            - 'b2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea'
            - '8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43'
            - 'c8b4d17c1f0aa7c50f2fa23d7c328482a4ad2c4da4d600f358ebdf200cbefd83'
            - '9fd06d823d54183cc91625fdc6decffe8db2863f6499a955656ebdcc089792cf'
            - '615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369'
    condition: selection
falsepositives:
    - None (High confidence IOCs)
level: critical


kql
// Hunt for connections to the specific Ngrok C2 domain observed in this pulse
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl contains "ngrok-free.dev" 
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP

// Hunt for the specific malicious file hashes on endpoints
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "ce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c",
    "b2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea",
    "8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43",
    "c8b4d17c1f0aa7c50f2fa23d7c328482a4ad2c4da4d600f358ebdf200cbefd83",
    "9fd06d823d54183cc91625fdc6decffe8db2863f6499a955656ebdcc089792cf",
    "615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369"
)
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName


powershell
# IOC Hunter Script for Payment SDK Typosquatting Campaign
# Scans common package directories for known malicious file hashes

$MaliciousHashes = @(
    "ce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c",
    "b2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea",
    "8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43",
    "c8b4d17c1f0aa7c50f2fa23d7c328482a4ad2c4da4d600f358ebdf200cbefd83",
    "9fd06d823d54183cc91625fdc6decffe8db2863f6499a955656ebdcc089792cf",
    "615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369"
)

# Scan common project roots (Adjust paths as necessary for your environment)
$ScanPaths = @("C:\Users\*\source\repos", "C:\Projects", "C:\code")

Write-Host "Starting IOC Scan for Payment SDK Infostealers..." -ForegroundColor Cyan

foreach ($path in $ScanPaths) {
    if (Test-Path $path) {
        Write-Host "Scanning path: $path" -ForegroundColor Yellow
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { 
            $MaliciousHashes -contains $_.Hash 
        } | ForEach-Object {
            Write-Host "[ALERT] Malicious file found: $($_.Path) (Hash: $($_.Hash))" -ForegroundColor Red
        }
    }
}

# Check DNS Cache for Ngrok Free domains
Write-Host "Checking DNS Cache for ngrok-free.dev domains..." -ForegroundColor Yellow
Get-DnsClientCache | Where-Object { $_.Entry -like "*.ngrok-free.dev" } | Select-Object Entry, Data

Write-Host "Scan Complete."

Response Priorities

  • Immediate: Block all egress traffic to *.ngrok-free.dev at the firewall/proxy level. Quarantine any systems identified with the malicious file hashes.
  • 24 Hours: Conduct a targeted hunt in source code repositories for dependencies matching the typosquatted names (PaySafe, Skrill, Neteller). Review recent npm/PyPI install logs in build servers for compromise.
  • 1 Week: Enforce software composition analysis (SCA) within CI/CD pipelines to prevent typosquatting packages from being introduced. Rotate any developer credentials or API tokens stored in environments where these packages may have been installed.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssupply-chaininfostealernpmpypityposquatting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.