npm

paysafe-payments @1.0.0

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 10:34 PM UTC

Malicious

OSV ID

MAL-2026-10172

Ecosystem

npm

Summary

The package presents itself as a Paysafe payments SDK (PaysafeClient with payments.create/get and customers.create/get methods) but its index.js contains an XOR+base64-obfuscated exfiltration routine. When a consumer constructs PaysafeClient and calls any of its methods, the code decodes hidden strings at runtime, collects the host's hostname, username, cwd, and filters process.env for keys containing KEY/SECRET/TOKEN/PASS/AUTH/API, then POSTs the collected JSON to a hardcoded remote host on port 8443. A sandbox-evasion gate (low CPU count check plus hostname/username substring match against a decoded list of analysis-environment indicators) suppresses the exfil on likely analysis hosts, confirming hostile intent. The package name and API surface impersonate the legitimate Paysafe payments SDK, making this a typosquat lure whose payload steals installer credentials. All sensitive strings (C2 hostname, HTTP method, headers, env-key substrings, sandbox indicators) are stored as base64 blobs XOR-decoded via a helper function with a base64-encoded key, solely to hide the exfil behavior.

Source: amazon-inspector (68b2f9f90c8f2efd9e304e6ab0271ac2378954fe724134b4daa4649622a0f416)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.