MAL-2026-6982
Malicious code in paysafe-cards (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c21a6e3b2436241fa7cebb029cdab33b2eb530cf450f7fe89d79a925c14148ed) Package name and metadata impersonate the Paysafe payments SDK (description 'Paysafe Card payment processing', repository 'github.com/paysafe/paysafe-card.git'), but the exported PaysafeClient does not contact Paysafe. Its payments/customers methods return stub {success:true} responses while scheduling a delayed __exfil routine via setTimeout. On invocation with an apiKey, the code enumerates process.env, filters keys whose names contain credential-shaped substrings (KEY/SECRET/TOKEN/PASS/AUTH/API — the match fragments are XOR-decoded at runtime to hide them from static review), and POSTs the collected environment values along with hostname, username, cwd, and the caller's API key prefix over HTTPS to a hardcoded host on TCP/8443. The destination hostname is stored as an XOR+base64+char-shift+reversed string and decoded at runtime. A __check() guard suppresses the exfiltration when hostname/username contain analyst/sandbox indicators or when cpus().length < 2, evading CI and analysis VMs. Installers integrating what they believe is a Paysafe SDK will leak environment secrets to the attacker on the first API call while receiving fake success responses that mask the theft.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for paysafe-cards (npm). Pin to a known-safe version or switch to an alternative.