Cybersecurity researchers at Socket have uncovered a malicious npm package that hijacks server control during payment transactions.
The package, @naderabdi/merchant-advcash, masquerades as a legitimate integration for the digital payment platform Advcash (now rebranded as Volet). The package embeds a reverse shell activated after successful payments that enables attackers to remotely commandeer systems.
Advcash, though niche compared to mainstream services like PayPal, is frequently used in grey-market cryptocurrency exchanges and offshore finance—a profile exploited by threat actors to evade scrutiny. Socket’s findings highlight a growing trend of malware targeting high-trust workflows in payment ecosystems.
The malicious npm module mimics genuine payment processing logic, performing SHA-256 hashing, credential validation, and transaction simulations. However, its url_success() method – triggered post-payment – executes a reverse shell, connecting victims’ servers to an attacker-controlled IP address
Unlike typical supply chain attacks that activate during installation, this payload delays execution until a transaction succeeds—a move designed to bypass static analysis tools and target production environments.
By leveraging Node.js modules like net and child_process, the shell grants attackers unfettered access to execute commands, exfiltrate data, or pivot to internal networks.
The package’s sophistication lies in blending malicious code with legitimate functions:
- Realistic features: Validates currencies, hashes payment tokens, and dynamically fetches API credentials.
- Context-specific activation: The reverse shell only triggers during payment success callbacks, a moment of lowered guard.
- Minimal footprint: No errors or standalone scripts; malicious logic is embedded within standard HTTP response handling.
“It’s designed to build trust in the module, encouraging developers to integrate it deeply within production environments, thereby maximising the attacker’s reach once the reverse shell is triggered,” Socket’s researchers noted.
The malicious package masquerading as legitimate payment integration has been reported and removed from npm, but similar threats likely persist.
“It’s a reminder for developers and security teams: trust nothing blindly. Even packages that appear purpose-built for e-commerce or payments can be Trojan horses for deeper compromises,” Socket concludes.
(Photo by Max Zhdanov)
See also: Security flaws hit PyTorch Lightning deep learning framework
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
#Masquerading #payment #npm #package #installs #backdoor
