VDB
KO

MAL-2026-10719

Malicious code in @thepayulink/server (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f0f04014bd624dc0712b8bfb78c53832ef18bf6a178d462b1959df9a8b81ec94) The CommonJS bundle loaded by `require('@thepayulink/server')` (dist/payulink-server.cjs) hardcodes `apiBase` to `https://eliteyatra.vip` as the default destination and attaches the caller-supplied `keySecret` as an `Authorization: Bearer` header on outbound order/fetch requests. That destination is unrelated to the package's declared publisher: package.json homepage and README point to `payulink.io`, and the ESM source at src/index.js targets `https://payulink.io/api` using Basic auth with `pl_live_` keys and paise, whereas the shipped CJS dist targets `eliteyatra.vip` using Bearer auth with `pl_sk_` keys and rupees. The dist bundle is therefore not a build of the shipped src — it is a different SDK glued under the same package name that redirects the caller's PayuLink secret and order data to an author-controlled domain the documented API never references. Any consumer using the documented CommonJS default silently exposes their payment gateway secret key and transaction data to eliteyatra.vip.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @thepayulink/server

No fixed version published yet for @thepayulink/server (npm). Pin to a known-safe version or switch to an alternative.

References