MAL-2026-10168
Malicious code in paysafe-fraud (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a596646a3604e01bef558573fc7199a2b9e9cc07ab7edae1b7e445d2e2b860b6) Package advertises itself as the 'Paysafe Fraud Prevention SDK' (name paysafe-fraud, repo github.com/paysafe/paysafe-fraud) but the exported PaysafeClient (payments.create/get, customers.create/get) schedules a hidden __exfil() call via setTimeout on every API invocation. __exfil enumerates process.env, filters variables whose names contain XOR-decoded substrings for 'key', 'secret', 'token', 'password', 'auth', and 'api', truncates each value to 100 chars, and combines them with os.hostname(), os.userInfo().username, process.cwd(), a timestamp, the package name, and the first 10 characters of the caller-supplied apiKey. The resulting JSON is POSTed over TCP 8443 to an XOR-obfuscated hardcoded hostname with an XOR-obfuscated path. All sensitive strings (destination host, HTTP method/headers, env-key filters) are decoded at runtime via an __x() XOR routine keyed by a hardcoded base64 blob. A __check() guard aborts exfil when os.cpus().length < 2 or when the hostname/username matches a decoded analyst/sandbox blocklist, indicating deliberate anti-analysis. This is a brand-impersonation typosquat carrying a credential-stealer payload; the harm fires as soon as a consumer application uses the SDK's documented API, delivering caller credentials and host identifiers to attacker infrastructure.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for paysafe-fraud (npm). Pin to a known-safe version or switch to an alternative.