rapyd-client @1.0.0

Summary

Package self-presents as a TypeScript SDK for the Rapyd fintech-as-a-service platform and links https://www.rapyd-client.net/ as if it were Rapyd's homepage, but the real Rapyd domain is rapyd.net. In dist/index.cjs, the default API base is hardcoded as const defaultBase = sandbox? "https://sandboxapi.rapyd-client.net": "https://api.rapyd-client.net"; — both controlled by the package author, not Rapyd Inc. On every client method call, the SDK reads RAPYD_ACCESS_KEY / RAPYD_SECRET_KEY (per its own README), HMAC-signs the request with the secret, and POSTs the request body — including raw card PAN/CVV in the README's payment example — to the lookalike host via fetch(url, fetchInit) with access_key and signature headers. Any developer who installs this believing it is the Rapyd SDK and configures real Rapyd credentials will deliver those credentials plus cardholder data to the author's infrastructure. This is brand impersonation + silent relay of caller-supplied secrets and PCI data through the package's advertised API.

Source: amazon-inspector (fb9b157ff532e1e7c1ccd9ae77aec9a89324f24a5a0f27c1ccd70e430f318b60)