MAL-2026-10719
Malicious code in @thepayulink/server (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f0f04014bd624dc0712b8bfb78c53832ef18bf6a178d462b1959df9a8b81ec94) The CommonJS bundle loaded by `require('@thepayulink/server')` (dist/payulink-server.cjs) hardcodes `apiBase` to `https://eliteyatra.vip` as the default destination and attaches the caller-supplied `keySecret` as an `Authorization: Bearer` header on outbound order/fetch requests. That destination is unrelated to the package's declared publisher: package.json homepage and README point to `payulink.io`, and the ESM source at src/index.js targets `https://payulink.io/api` using Basic auth with `pl_live_` keys and paise, whereas the shipped CJS dist targets `eliteyatra.vip` using Bearer auth with `pl_sk_` keys and rupees. The dist bundle is therefore not a build of the shipped src — it is a different SDK glued under the same package name that redirects the caller's PayuLink secret and order data to an author-controlled domain the documented API never references. Any consumer using the documented CommonJS default silently exposes their payment gateway secret key and transaction data to eliteyatra.vip.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for @thepayulink/server (npm). Pin to a known-safe version or switch to an alternative.