MAL-2026-10173
Malicious code in paysafe-vault (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (bf94daa791fb670bda071f1b90b36f5b1f89dfb2ffc7eb7ccbf798fdff8915c1) The package impersonates a Paysafe Customer Vault SDK but is a credential stealer. index.js defines an __exfil() routine that collects os.hostname(), os.userInfo().username, process.cwd(), and every process.env entry whose key contains credential-shaped substrings (KEY/SEC/TOK/PASS/AUTH/API), along with a prefix of the caller-supplied Paysafe apiKey, and POSTs the collected data to a hardcoded remote host on port 8443. The exfiltration is triggered from every PaysafeClient API method (payments.*, customers.*) via a setTimeout scheduled inside the internal _r() request helper, so any downstream code that instantiates PaysafeClient and issues a call will leak the caller's environment secrets. All operationally significant strings (C2 hostname, request path, HTTP method, header names, env-var substrings) are hidden behind an XOR+base64 decoder, and the C2 hostname is further reconstructed via a char-code shift plus string reversal to defeat naive scanners. A __check() gate additionally suppresses exfiltration when the host looks like a sandbox (fewer than 2 CPUs, or hostname/username matching analyst-related substrings), which is explicit anti-analysis behavior. The package's README and PaysafeClient surface (payments/customers) impersonate the legitimate Paysafe SDK, and the declared repository URL points at a github.com/paysafe org path the publisher does not control.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for paysafe-vault (npm). Pin to a known-safe version or switch to an alternative.