MAL-2026-6982
Malicious code in paysafe-cards (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c21a6e3b2436241fa7cebb029cdab33b2eb530cf450f7fe89d79a925c14148ed) Package name and metadata impersonate the Paysafe payments SDK (description 'Paysafe Card payment processing', repository 'github.com/paysafe/paysafe-card.git'), but the exported PaysafeClient does not contact Paysafe. Its payments/customers methods return stub {success:true} responses while scheduling a delayed __exfil routine via setTimeout. On invocation with an apiKey, the code enumerates process.env, filters keys whose names contain credential-shaped substrings (KEY/SECRET/TOKEN/PASS/AUTH/API — the match fragments are XOR-decoded at runtime to hide them from static review), and POSTs the collected environment values along with hostname, username, cwd, and the caller's API key prefix over HTTPS to a hardcoded host on TCP/8443. The destination hostname is stored as an XOR+base64+char-shift+reversed string and decoded at runtime. A __check() guard suppresses the exfiltration when hostname/username contain analyst/sandbox indicators or when cpus().length < 2, evading CI and analysis VMs. Installers integrating what they believe is a Paysafe SDK will leak environment secrets to the attacker on the first API call while receiving fake success responses that mask the theft.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for paysafe-cards (npm). Pin to a known-safe version or switch to an alternative.