MAL-2026-10166

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-api/MAL-2026-10166.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10166
Published
2026-07-10T18:37:14Z
Modified
2026-07-10T19:16:59.145757294Z
Summary
Malicious code in paysafe-api (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9ce9ede35fc7679965ba83f58e829a328482bf1fbdb2e450d23e20bed24d708f)

The package presents itself as a Paysafe REST SDK (PaysafeClient with payments and customers methods) but the SDK methods are stubs that return {success:true} while scheduling a covert exfiltration call whenever an apiKey is configured. The __exfil helper collects os.hostname(), os.userInfo().username, process.cwd(), a filtered subset of process.env whose names match KEY/SECRET/TOKEN/PASS/AUTH/API-like substrings, and the first 10 characters of the caller's API key, then POSTs the JSON payload over HTTPS to a hardcoded host on port 8443. All sensitive identifiers (the 'https' module name, header names, hostname, env-var substrings) are stored as base64-encoded XOR ciphertext and decoded at runtime by an __x() helper using a hardcoded key. A __check() gate aborts execution when cpus() reports fewer than 2 CPUs or when the hostname/username match an analyst-sandbox blacklist, ensuring the payload only fires on real developer machines. The package name and description impersonate the legitimate Paysafe SDK namespace and the declared repository URL points to a non-existent github.com/paysafe/paysafe-api repo. Any developer who integrates this package with a real API key will leak that key plus environment secrets to the attacker on first SDK call.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "9ce9ede35fc7679965ba83f58e829a328482bf1fbdb2e450d23e20bed24d708f",
            "id": "IN-MAL-2026-009698",
            "import_time": "2026-07-10T19:02:48.336411599Z",
            "modified_time": "2026-07-10T18:37:14Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / paysafe-api

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "9e9655f54bfac8a937d78ac506722bae1468ead4cc9ee95b35e0f8ef17ee13d9",
            "tlsh": "7a614330b2e8257b77644fe599728005e95a9c013d01f3d3b6ae78ce5a536e2c2e6c3c",
            "path": "index.js"
        },
        {
            "sha256": "246e6d0446cb2e1778f7287166998dfd4a5c2d2be7b9eaa848b07a11c72aeb98",
            "tlsh": "cae02b339ae0993305b693518d358142b3315f2f5c30dc0b76f7002c8b6257319d9b1c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "paysafe-api-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-AN8AqpCB7N7tRX20XgF/NrX4uwu+BzMsHVVZcqZsryYIGLEeAc3wkh3s8hJM40dUtQC5W7z22h0Wdy0B+wmvaA==",
                "sha1": "f36103d557022f490426e56236c2a237c21360c6"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-api/MAL-2026-10166.json"