{"id":"MAL-2026-10172","summary":"Malicious code in paysafe-payments (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (68b2f9f90c8f2efd9e304e6ab0271ac2378954fe724134b4daa4649622a0f416)\nThe package presents itself as a Paysafe payments SDK (PaysafeClient with payments.create/get and customers.create/get methods) but its index.js contains an XOR+base64-obfuscated exfiltration routine. When a consumer constructs PaysafeClient and calls any of its methods, the code decodes hidden strings at runtime, collects the host's hostname, username, cwd, and filters process.env for keys containing KEY/SECRET/TOKEN/PASS/AUTH/API, then POSTs the collected JSON to a hardcoded remote host on port 8443. A sandbox-evasion gate (low CPU count check plus hostname/username substring match against a decoded list of analysis-environment indicators) suppresses the exfil on likely analysis hosts, confirming hostile intent. The package name and API surface impersonate the legitimate Paysafe payments SDK, making this a typosquat lure whose payload steals installer credentials. All sensitive strings (C2 hostname, HTTP method, headers, env-key substrings, sandbox indicators) are stored as base64 blobs XOR-decoded via a helper function with a base64-encoded key, solely to hide the exfil behavior.\n","modified":"2026-07-10T19:16:58.270635569Z","published":"2026-07-10T18:38:06Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"sha256":"68b2f9f90c8f2efd9e304e6ab0271ac2378954fe724134b4daa4649622a0f416","import_time":"2026-07-10T19:02:48.620097687Z","id":"IN-MAL-2026-009704","modified_time":"2026-07-10T18:38:06Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/paysafe-payments/v/1.0.0"}],"affected":[{"package":{"name":"paysafe-payments","ecosystem":"npm","purl":"pkg:npm/paysafe-payments"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-03c6fj5onaJcraKySWhduGgVTQWqVwTm8IsrDDBe5CMh5FfYocu+UF6MPv4pXnJbGFtF1P4cpqEkYmbCQBHZ9A==","sha1":"6a4477c34f94c04cccf35904f9918e0daa940ad4"},"filename":"paysafe-payments-1.0.0.tgz"}],"evidence_files":[{"tlsh":"75611130f2d865377b608fe55cb18451a85a5d013d06f393bb7c78cd5e939a182d687c","sha256":"9727c804c4354e481d2ff9d4934bd1b2518293a9ca34a14f5c7ae9d0cd30ce94","path":"index.js"},{"tlsh":"93f02b33e9905d2311fa975198748203b7214f1fa9704c0b3aff501c8b6297318ddb1d","sha256":"5596d41341679f18c432b4f906803f2e8885277c8bd65ff9886294aa327da2c4","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-payments/MAL-2026-10172.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}