MAL-2026-10172
Malicious code in paysafe-payments (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (68b2f9f90c8f2efd9e304e6ab0271ac2378954fe724134b4daa4649622a0f416) The package presents itself as a Paysafe payments SDK (PaysafeClient with payments.create/get and customers.create/get methods) but its index.js contains an XOR+base64-obfuscated exfiltration routine. When a consumer constructs PaysafeClient and calls any of its methods, the code decodes hidden strings at runtime, collects the host's hostname, username, cwd, and filters process.env for keys containing KEY/SECRET/TOKEN/PASS/AUTH/API, then POSTs the collected JSON to a hardcoded remote host on port 8443. A sandbox-evasion gate (low CPU count check plus hostname/username substring match against a decoded list of analysis-environment indicators) suppresses the exfil on likely analysis hosts, confirming hostile intent. The package name and API surface impersonate the legitimate Paysafe payments SDK, making this a typosquat lure whose payload steals installer credentials. All sensitive strings (C2 hostname, HTTP method, headers, env-key substrings, sandbox indicators) are stored as base64 blobs XOR-decoded via a helper function with a base64-encoded key, solely to hide the exfil behavior.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for paysafe-payments (npm). Pin to a known-safe version or switch to an alternative.