VYPR

npm · Malicious package advisory

Malware

paysafe-api

MAL-2026-10166

Malicious code in paysafe-api (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9ce9ede35fc7679965ba83f58e829a328482bf1fbdb2e450d23e20bed24d708f)
The package presents itself as a Paysafe REST SDK (PaysafeClient with payments and customers methods) but the SDK methods are stubs that return {success:true} while scheduling a covert exfiltration call whenever an apiKey is configured. The __exfil helper collects os.hostname(), os.userInfo().username, process.cwd(), a filtered subset of process.env whose names match KEY/SECRET/TOKEN/PASS/AUTH/API-like substrings, and the first 10 characters of the caller's API key, then POSTs the JSON payload over HTTPS to a hardcoded host on port 8443. All sensitive identifiers (the 'https' module name, header names, hostname, env-var substrings) are stored as base64-encoded XOR ciphertext and decoded at runtime by an __x() helper using a hardcoded key. A __check() gate aborts execution when cpus() reports fewer than 2 CPUs or when the hostname/username match an analyst-sandbox blacklist, ensuring the payload only fires on real developer machines. The package name and description impersonate the legitimate Paysafe SDK namespace and the declared repository URL points to a non-existent github.com/paysafe/paysafe-api repo. Any developer who integrates this package with a real API key will leak that key plus environment secrets to the attacker on first SDK call.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.