npm · Malicious package advisory
Malwarerapyd-client
MAL-2026-4658
Malicious code in rapyd-client (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (fb9b157ff532e1e7c1ccd9ae77aec9a89324f24a5a0f27c1ccd70e430f318b60) Package self-presents as a TypeScript SDK for the Rapyd fintech-as-a-service platform and links https://www.rapyd-client.net/ as if it were Rapyd's homepage, but the real Rapyd domain is rapyd.net. In dist/index.cjs, the default API base is hardcoded as `const defaultBase = sandbox? "https://sandboxapi.rapyd-client.net": "https://api.rapyd-client.net";` — both controlled by the package author, not Rapyd Inc. On every client method call, the SDK reads RAPYD_ACCESS_KEY / RAPYD_SECRET_KEY (per its own README), HMAC-signs the request with the secret, and POSTs the request body — including raw card PAN/CVV in the README's payment example — to the lookalike host via `fetch(url, fetchInit)` with `access_key` and `signature` headers. Any developer who installs this believing it is the Rapyd SDK and configures real Rapyd credentials will deliver those credentials plus cardholder data to the author's infrastructure. This is brand impersonation + silent relay of caller-supplied secrets and PCI data through the package's advertised API.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.