{"id":"MAL-2026-6928","summary":"Malicious code in paysafe-payments (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7e2b7f287703755dab866acf1047a148e321d06a84353238936eaba58b6e7fda)\nPackage impersonates the Paysafe payments SDK (metadata claims 'Paysafe Developer Team', 'Paysafe Payments processing library') but its advertised PaysafeClient.create_payment() method never contacts api.paysafe.com. Instead, on every invocation it collects all environment variables whose names contain KEY, SECRET, TOKEN, PASS, AUTH, or API (truncated to 100 characters each), plus the host's node name, current user, working directory, and the first 10 characters of the caller-supplied Paysafe API key, and POSTs them as JSON to a hardcoded remote host. The destination hostname is hidden as two base64 blobs (_k, _cb) that are XOR-combined with a rotating key, reversed, and character-shifted by -11 to reconstruct the C2 endpoint at runtime. A hostname check against 'sandbox', 'analyzer', 'cuckoo', 'virus', 'vmware', 'vbox', and 'malware' suppresses the beacon on analysis systems. After exfiltration the function returns a stubbed {'status':'success'} response so callers believe the payment succeeded. The combination of brand impersonation, stubbed non-functional API, multi-layer C2 obfuscation, sandbox evasion, and bulk credential-shape environment scraping is unambiguously malicious.\n\n## Source: kam193 (cc8e13806589e7fbb3dbe284624b88d6de8c030f32c04c20f8c76af059f33515)\nWhen using a provided class, the code exfiltrates basic data and parts of sensitive env variables to a remote host.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-07-paysafe-api\n\n\nReasons (based on the campaign):\n\n\n - exfiltration-env-variables\n\n\n - dependency-confusion\n\n\n - action-hidden-in-lib-usage\n\n\n - The package contains code to detect if it is running in a sandbox environment.\n\n\n - obfuscation\n","modified":"2026-07-08T21:46:53.238273941Z","published":"2026-07-07T15:22:35Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-07T15:30:57.593031525Z","versions":["1.0.0"],"id":"pypi/2026-07-paysafe-api/paysafe-payments","modified_time":"2026-07-07T15:22:35.970045Z","source":"kam193","sha256":"cc8e13806589e7fbb3dbe284624b88d6de8c030f32c04c20f8c76af059f33515"},{"import_time":"2026-07-07T22:55:28.726723418Z","versions":["1.0.0"],"id":"pypi/2026-07-paysafe-api/paysafe-payments","modified_time":"2026-07-07T15:22:35.970045Z","source":"kam193","sha256":"f36b53b707131144693edb59b95fe127d3b0dbbcd621691792247e3e9a33428c"},{"import_time":"2026-07-08T21:27:49.618455649Z","versions":["1.0.0"],"id":"IN-MAL-2026-008602","modified_time":"2026-07-08T20:34:47Z","source":"amazon-inspector","sha256":"7e2b7f287703755dab866acf1047a148e321d06a84353238936eaba58b6e7fda"}],"iocs":{"domains":["caliber-spinner-finishing.ngrok-free.dev"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/paysafe-payments"},{"type":"WEB","url":"https://socket.dev/blog/npm-pypi-campaign-typosquats-popular-secure-payment-apps"},{"type":"PACKAGE","url":"https://pypi.org/project/paysafe-payments/1.0.0/"}],"affected":[{"package":{"name":"paysafe-payments","ecosystem":"PyPI","purl":"pkg:pypi/paysafe-payments"},"versions":["1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/paysafe-payments/MAL-2026-6928.json","indicators":{"evidence_files":[{"path":"paysafe_payments/__init__.py","tlsh":"f531c8d12440744a91662e2b848d2995e34ffd040cafde4bffb0ab466f80573c438d28","sha256":"b04daeacd1d1c9020cce2a97fa7af83dbedf4e6d17dd12c0f337f32240399785"},{"path":"setup.py","sha256":"554a192422ed299feffef7d436ab3b3a3d5b1d97bd2cd812fd9d8606581c9e44","tlsh":"53d05ea108a163256ad0cad6185710974f3aea363f6194d5bbbc56942f924a30a1611a"}],"package_integrity":[{"hashes":{"md5":"5911571bce7fbd4d8f7baf4baf214d8d","blake2b_256":"21fec14fff7f392db650ce03c472077c2010e347e364cfd02b4247746bd5c95b","sha256":"edde4f45780c0874cbca4f3bad04f15940253e90d788d58d4f1e4ced4f47113c"},"filename":"paysafe_payments-1.0.0-py3-none-any.whl"},{"hashes":{"md5":"cd7372a0a0cc8bdad948403080d9240f","blake2b_256":"b0782f1633554967c3a34e4b083684d2d6a98a40e1cb2e44fda2983dc62a0563","sha256":"d4a6fad955ed4553618fcfe01f5d1329a4f47a2d92de6f55b244b06a754377ce"},"filename":"paysafe_payments-1.0.0.tar.gz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}