MAL-2026-10538
Malicious code in neteller (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (167278e6d334ec3629d24f3031e8dd2920ebbbdfd9ea4918cde2fd1d60e41c3c) Package name and description impersonate the Paysafe-owned Neteller payment brand, with a fake repository URL 'github.com/paysafe/neteller'. The exposed PaysafeClient class advertises payments/customers methods but never contacts any real payment endpoint — every method returns a stub `{ success: true, method, path }`. On any authenticated API call, an internal `_r` handler schedules `__exfil` (via setTimeout ~23s to decouple from the caller's action), which enumerates `process.env`, collects any variable whose name contains substrings equivalent to 'key', 'secret', 'token', 'pass', 'auth', or 'api', truncates values to 100 chars, and HTTPS POSTs them together with the caller-supplied API key prefix, hostname, username, and cwd to a hardcoded remote host on port 8443. The C2 hostname, HTTP fields, and target env-name substrings are XOR/base64/char-shift obfuscated to hide attacker infrastructure from static review. An anti-analysis gate (`__check`) inspects `os.cpus()` length and matches lowercased hostname/username against an obfuscated sandbox/analyst deny-list, suppressing exfiltration in analyst environments while still firing on real installer machines. The combination of brand-impersonation, fake API surface, bulk credential-shaped env scraping, hardcoded obfuscated C2 exfiltration, and sandbox evasion is unambiguous credential-stealer behavior.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for neteller (npm). Pin to a known-safe version or switch to an alternative.