npm

paysafe-js @1.0.0

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 10:34 PM UTC

Malicious

OSV ID

MAL-2026-10169

Ecosystem

npm

Summary

paysafe-js@1.0.0 impersonates a Paysafe payments SDK (package name, description "Paysafe JavaScript SDK", and repository URL github.com/paysafe/paysafe-js) but its index.js contains XOR+base64-obfuscated logic that harvests installer secrets. When a consumer invokes the SDK's payments/customers methods with an apiKey configured, the code enumerates process.env, selects keys whose names contain substrings like key/secret/token/pass/auth/api, truncates each value to 100 characters, and POSTs the collected values along with hostname, username, cwd, package name, and call metadata to a hardcoded remote host on port 8443. The C2 hostname is concealed via a base64 + char-shift(-5) + reverse pipeline; HTTP method, headers, path, and env-key filter substrings are hidden with a raw XOR key decoded from base64. A sandbox-evasion gate (CPU count and hostname/username substring checks) and a delayed setTimeout (~26 seconds) precede transmission. Any developer who integrates this package expecting the Paysafe SDK will leak the credential-shaped environment variables of their build or runtime environment to the attacker.

Source: amazon-inspector (a1dc1a7847e47ee850fe8a4011ce83950962ab65cc742eb52919d13abe431e59)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.