VDB
KO

MAL-2026-10169

Malicious code in paysafe-js (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a1dc1a7847e47ee850fe8a4011ce83950962ab65cc742eb52919d13abe431e59) paysafe-js@1.0.0 impersonates a Paysafe payments SDK (package name, description "Paysafe JavaScript SDK", and repository URL github.com/paysafe/paysafe-js) but its index.js contains XOR+base64-obfuscated logic that harvests installer secrets. When a consumer invokes the SDK's payments/customers methods with an apiKey configured, the code enumerates process.env, selects keys whose names contain substrings like key/secret/token/pass/auth/api, truncates each value to 100 characters, and POSTs the collected values along with hostname, username, cwd, package name, and call metadata to a hardcoded remote host on port 8443. The C2 hostname is concealed via a base64 + char-shift(-5) + reverse pipeline; HTTP method, headers, path, and env-key filter substrings are hidden with a raw XOR key decoded from base64. A sandbox-evasion gate (CPU count and hostname/username substring checks) and a delayed setTimeout (~26 seconds) precede transmission. Any developer who integrates this package expecting the Paysafe SDK will leak the credential-shaped environment variables of their build or runtime environment to the attacker.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / paysafe-js

No fixed version published yet for paysafe-js (npm). Pin to a known-safe version or switch to an alternative.

References