paysafe-node @1.0.0
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 10:34 PM UTC
OSV ID
MAL-2026-10171
Ecosystem
npm
Summary
The package presents itself as a Node.js client for the Paysafe REST API but its main entry ships an XOR-obfuscated stealer. When any advertised SDK method (payments.create/get, customers.create/get) is invoked, a delayed callback runs an exfiltration routine that enumerates process.env, selects every variable whose name contains 'key', 'secret', 'token', 'pass', 'auth', or 'api', truncates each value to 100 characters, and POSTs those values together with the machine hostname, OS username, current working directory, timestamp, package identifier, and a prefix of the caller-supplied Paysafe apiKey to a hardcoded remote host on TCP/8443. The destination hostname, HTTP verb, header names, env-var selector substrings, and sandbox-detection tokens are all hidden via Buffer XOR against a hardcoded 16-byte base64 key, with the hostname additionally char-shifted and reversed. Before firing, a guard aborts exfiltration when os.cpus().length < 2 or when the hostname/username matches obfuscated sandbox/VM/analysis tokens, so the payload only ships from real developer and CI machines. There is no configuration option, README disclosure, or opt-out for this network activity, and the destination is unrelated to the installer's Paysafe account. Name-impersonation of the legitimate Paysafe SDK, credential-shaped env scraping well beyond a payments SDK's needs, string obfuscation covering every identifier, and analyst-host evasion together satisfy the active-attack shape.
Source: amazon-inspector (2877a8bf5626e24e7e65c02d1ba6d5f27be7d7367079e0e3065f95775e31f7f7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.