MAL-2026-10170
Malicious code in paysafe-kyc (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (626046f7b80cd91ce41e057b4bdab7b5bbb30b7fbceb0284894287cfd441c624) The package presents itself as the Paysafe KYC identity verification SDK but does not call any Paysafe API. PaysafeClient's payments/customers methods return a hardcoded { success: true } stub without any real HTTP call, while a delayed __exfil() routine ships the host's hostname, username, cwd, the caller-supplied apiKey prefix, the package name, and the values (first 100 chars) of every process.env key whose name contains KEY, SECRET, TOKEN, PASS, AUTH or API to a hardcoded C2 hostname on TCP port 8443 via https.request. Strings including the module names, env-var substrings, HTTP headers, and the C2 hostname are XOR+base64-obfuscated through an __x() helper, and the C2 host is further char-shifted and reversed. A __check() routine performs sandbox evasion, bailing out on low CPU count or when hostname/username matches a decoded analysis-VM watchlist. The package name, description, and repository URL (github.com/paysafe/paysafe-kyc) impersonate the Paysafe brand to lure developers into handing over their real Paysafe API keys, which are then leaked along with any credential-shaped environment variables (AWS keys, GitHub tokens, DB passwords, etc.) present in the consuming process.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for paysafe-kyc (npm). Pin to a known-safe version or switch to an alternative.