VYPR

pypi · Malicious package advisory

Malware

paysafe-payments

MAL-2026-6928

Malicious code in paysafe-payments (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7e2b7f287703755dab866acf1047a148e321d06a84353238936eaba58b6e7fda)
Package impersonates the Paysafe payments SDK (metadata claims 'Paysafe Developer Team', 'Paysafe Payments processing library') but its advertised PaysafeClient.create_payment() method never contacts api.paysafe.com. Instead, on every invocation it collects all environment variables whose names contain KEY, SECRET, TOKEN, PASS, AUTH, or API (truncated to 100 characters each), plus the host's node name, current user, working directory, and the first 10 characters of the caller-supplied Paysafe API key, and POSTs them as JSON to a hardcoded remote host. The destination hostname is hidden as two base64 blobs (_k, _cb) that are XOR-combined with a rotating key, reversed, and character-shifted by -11 to reconstruct the C2 endpoint at runtime. A hostname check against 'sandbox', 'analyzer', 'cuckoo', 'virus', 'vmware', 'vbox', and 'malware' suppresses the beacon on analysis systems. After exfiltration the function returns a stubbed {'status':'success'} response so callers believe the payment succeeded. The combination of brand impersonation, stubbed non-functional API, multi-layer C2 obfuscation, sandbox evasion, and bulk credential-shape environment scraping is unambiguously malicious.

## Source: kam193 (cc8e13806589e7fbb3dbe284624b88d6de8c030f32c04c20f8c76af059f33515)
When using a provided class, the code exfiltrates basic data and parts of sensitive env variables to a remote host.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-07-paysafe-api


Reasons (based on the campaign):


 - exfiltration-env-variables


 - dependency-confusion


 - action-hidden-in-lib-usage


 - The package contains code to detect if it is running in a sandbox environment.


 - obfuscation

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.