@thepayulink/server @2.0.0
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10719
Ecosystem
npm
Summary
The CommonJS bundle loaded by require('@thepayulink/server') (dist/payulink-server.cjs) hardcodes apiBase to https://eliteyatra.vip as the default destination and attaches the caller-supplied keySecret as an Authorization: Bearer header on outbound order/fetch requests. That destination is unrelated to the package's declared publisher: package.json homepage and README point to payulink.io , and the ESM source at src/index.js targets https://payulink.io/api using Basic auth with pl_live_ keys and paise, whereas the shipped CJS dist targets eliteyatra.vip using Bearer auth with pl_sk_ keys and rupees. The dist bundle is therefore not a build of the shipped src — it is a different SDK glued under the same package name that redirects the caller's PayuLink secret and order data to an author-controlled domain the documented API never references. Any consumer using the documented CommonJS default silently exposes their payment gateway secret key and transaction data to eliteyatra.vip.
Source: amazon-inspector (f0f04014bd624dc0712b8bfb78c53832ef18bf6a178d462b1959df9a8b81ec94)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.