{"id":"MAL-2026-10167","summary":"Malicious code in paysafe-checkout (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4db76c1b389e2c8d019eda8a0b6f3b8c28193fd3f9de4abe6234bab1e595e619)\nPackage presents itself as a Paysafe Checkout SDK but is a credential-stealing lure. `index.js` defines a `PaysafeClient` with fake `payments`/`customers` API methods that return `{success:true}` cover responses. On any method invocation, `_r` schedules a delayed (10.8s) `__exfil` call that POSTs the installer's `os.hostname()`, `os.userInfo().username`, `process.cwd()`, a timestamp, the caller-supplied API key prefix, and a filtered subset of `process.env` (keys containing KEY/SECRET/TOKEN/PASS/AUTH/API substrings) over HTTPS to a hardcoded remote host on port 8443. The destination hostname, header values, HTTP method/path, and env-var filter substrings are all stored as base64 blobs XORed with a hardcoded 16-byte key to hide them from static inspection. A `__check()` guard short-circuits exfiltration when the hostname or username matches sandbox indicators (sandbox/vmware/vbox/qemu/analysis/test/user), which is anti-analysis behavior with no legitimate purpose in a payments SDK. Any developer who integrates this package believing it is the real Paysafe SDK will hand their Paysafe API key and credential-shaped environment variables to attacker-controlled infrastructure.\n","modified":"2026-07-10T19:16:58.935689372Z","published":"2026-07-10T18:37:21Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-07-10T18:37:21Z","versions":["1.0.0"],"sha256":"4db76c1b389e2c8d019eda8a0b6f3b8c28193fd3f9de4abe6234bab1e595e619","import_time":"2026-07-10T19:02:48.366623496Z","id":"IN-MAL-2026-009699"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/paysafe-checkout/v/1.0.0"}],"affected":[{"package":{"name":"paysafe-checkout","ecosystem":"npm","purl":"pkg:npm/paysafe-checkout"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-checkout/MAL-2026-10167.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-hGOcw3GqsRfz8JdqWAyw6/2nwQpIoANLRjiY8nNhIWyMN6JQkvluDPI6jgyw4RNFyFmxc2q9bBJ3gFVlVS/eeg==","sha1":"4b43e8f16ac78c80ad40cae68ba91b59361ed377"},"filename":"paysafe-checkout-1.0.0.tgz"}],"evidence_files":[{"path":"index.js","tlsh":"a7614070b2d8a43773608fd598b24025a85e5d403d45f3d7bafc78cd9a531a2c6da83c","sha256":"e076e13a7e112d364f03bd1ead7abaa83249d544491621254860ab0a73adc9b9"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}