VDB
KO

MAL-2026-10166

Malicious code in paysafe-api (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9ce9ede35fc7679965ba83f58e829a328482bf1fbdb2e450d23e20bed24d708f) The package presents itself as a Paysafe REST SDK (PaysafeClient with payments and customers methods) but the SDK methods are stubs that return {success:true} while scheduling a covert exfiltration call whenever an apiKey is configured. The __exfil helper collects os.hostname(), os.userInfo().username, process.cwd(), a filtered subset of process.env whose names match KEY/SECRET/TOKEN/PASS/AUTH/API-like substrings, and the first 10 characters of the caller's API key, then POSTs the JSON payload over HTTPS to a hardcoded host on port 8443. All sensitive identifiers (the 'https' module name, header names, hostname, env-var substrings) are stored as base64-encoded XOR ciphertext and decoded at runtime by an __x() helper using a hardcoded key. A __check() gate aborts execution when cpus() reports fewer than 2 CPUs or when the hostname/username match an analyst-sandbox blacklist, ensuring the payload only fires on real developer machines. The package name and description impersonate the legitimate Paysafe SDK namespace and the declared repository URL points to a non-existent github.com/paysafe/paysafe-api repo. Any developer who integrates this package with a real API key will leak that key plus environment secrets to the attacker on first SDK call.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / paysafe-api

No fixed version published yet for paysafe-api (npm). Pin to a known-safe version or switch to an alternative.

References