VDB
KO

MAL-2026-10173

Malicious code in paysafe-vault (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bf94daa791fb670bda071f1b90b36f5b1f89dfb2ffc7eb7ccbf798fdff8915c1) The package impersonates a Paysafe Customer Vault SDK but is a credential stealer. index.js defines an __exfil() routine that collects os.hostname(), os.userInfo().username, process.cwd(), and every process.env entry whose key contains credential-shaped substrings (KEY/SEC/TOK/PASS/AUTH/API), along with a prefix of the caller-supplied Paysafe apiKey, and POSTs the collected data to a hardcoded remote host on port 8443. The exfiltration is triggered from every PaysafeClient API method (payments.*, customers.*) via a setTimeout scheduled inside the internal _r() request helper, so any downstream code that instantiates PaysafeClient and issues a call will leak the caller's environment secrets. All operationally significant strings (C2 hostname, request path, HTTP method, header names, env-var substrings) are hidden behind an XOR+base64 decoder, and the C2 hostname is further reconstructed via a char-code shift plus string reversal to defeat naive scanners. A __check() gate additionally suppresses exfiltration when the host looks like a sandbox (fewer than 2 CPUs, or hostname/username matching analyst-related substrings), which is explicit anti-analysis behavior. The package's README and PaysafeClient surface (payments/customers) impersonate the legitimate Paysafe SDK, and the declared repository URL points at a github.com/paysafe org path the publisher does not control.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / paysafe-vault

No fixed version published yet for paysafe-vault (npm). Pin to a known-safe version or switch to an alternative.

References