-= Per source details. Do not edit below this line.=-
The package presents itself as a Paysafe REST SDK (PaysafeClient with payments and customers methods) but the SDK methods are stubs that return {success:true} while scheduling a covert exfiltration call whenever an apiKey is configured. The __exfil helper collects os.hostname(), os.userInfo().username, process.cwd(), a filtered subset of process.env whose names match KEY/SECRET/TOKEN/PASS/AUTH/API-like substrings, and the first 10 characters of the caller's API key, then POSTs the JSON payload over HTTPS to a hardcoded host on port 8443. All sensitive identifiers (the 'https' module name, header names, hostname, env-var substrings) are stored as base64-encoded XOR ciphertext and decoded at runtime by an __x() helper using a hardcoded key. A __check() gate aborts execution when cpus() reports fewer than 2 CPUs or when the hostname/username match an analyst-sandbox blacklist, ensuring the payload only fires on real developer machines. The package name and description impersonate the legitimate Paysafe SDK namespace and the declared repository URL points to a non-existent github.com/paysafe/paysafe-api repo. Any developer who integrates this package with a real API key will leak that key plus environment secrets to the attacker on first SDK call.
{
"malicious-packages-origins": [
{
"sha256": "9ce9ede35fc7679965ba83f58e829a328482bf1fbdb2e450d23e20bed24d708f",
"id": "IN-MAL-2026-009698",
"import_time": "2026-07-10T19:02:48.336411599Z",
"modified_time": "2026-07-10T18:37:14Z",
"versions": [
"1.0.0"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "9e9655f54bfac8a937d78ac506722bae1468ead4cc9ee95b35e0f8ef17ee13d9",
"tlsh": "7a614330b2e8257b77644fe599728005e95a9c013d01f3d3b6ae78ce5a536e2c2e6c3c",
"path": "index.js"
},
{
"sha256": "246e6d0446cb2e1778f7287166998dfd4a5c2d2be7b9eaa848b07a11c72aeb98",
"tlsh": "cae02b339ae0993305b693518d358142b3315f2f5c30dc0b76f7002c8b6257319d9b1c",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "paysafe-api-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-AN8AqpCB7N7tRX20XgF/NrX4uwu+BzMsHVVZcqZsryYIGLEeAc3wkh3s8hJM40dUtQC5W7z22h0Wdy0B+wmvaA==",
"sha1": "f36103d557022f490426e56236c2a237c21360c6"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-api/MAL-2026-10166.json"