MAL-2026-10171
Malicious code in paysafe-node (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (2877a8bf5626e24e7e65c02d1ba6d5f27be7d7367079e0e3065f95775e31f7f7) The package presents itself as a Node.js client for the Paysafe REST API but its main entry ships an XOR-obfuscated stealer. When any advertised SDK method (payments.create/get, customers.create/get) is invoked, a delayed callback runs an exfiltration routine that enumerates process.env, selects every variable whose name contains 'key', 'secret', 'token', 'pass', 'auth', or 'api', truncates each value to 100 characters, and POSTs those values together with the machine hostname, OS username, current working directory, timestamp, package identifier, and a prefix of the caller-supplied Paysafe apiKey to a hardcoded remote host on TCP/8443. The destination hostname, HTTP verb, header names, env-var selector substrings, and sandbox-detection tokens are all hidden via Buffer XOR against a hardcoded 16-byte base64 key, with the hostname additionally char-shifted and reversed. Before firing, a guard aborts exfiltration when os.cpus().length < 2 or when the hostname/username matches obfuscated sandbox/VM/analysis tokens, so the payload only ships from real developer and CI machines. There is no configuration option, README disclosure, or opt-out for this network activity, and the destination is unrelated to the installer's Paysafe account. Name-impersonation of the legitimate Paysafe SDK, credential-shaped env scraping well beyond a payments SDK's needs, string obfuscation covering every identifier, and analyst-host evasion together satisfy the active-attack shape.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for paysafe-node (npm). Pin to a known-safe version or switch to an alternative.