MAL-2026-10167

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-checkout/MAL-2026-10167.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10167
Published
2026-07-10T18:37:21Z
Modified
2026-07-10T19:16:58.935689372Z
Summary
Malicious code in paysafe-checkout (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4db76c1b389e2c8d019eda8a0b6f3b8c28193fd3f9de4abe6234bab1e595e619)

Package presents itself as a Paysafe Checkout SDK but is a credential-stealing lure. index.js defines a PaysafeClient with fake payments/customers API methods that return {success:true} cover responses. On any method invocation, _r schedules a delayed (10.8s) __exfil call that POSTs the installer's os.hostname(), os.userInfo().username, process.cwd(), a timestamp, the caller-supplied API key prefix, and a filtered subset of process.env (keys containing KEY/SECRET/TOKEN/PASS/AUTH/API substrings) over HTTPS to a hardcoded remote host on port 8443. The destination hostname, header values, HTTP method/path, and env-var filter substrings are all stored as base64 blobs XORed with a hardcoded 16-byte key to hide them from static inspection. A __check() guard short-circuits exfiltration when the hostname or username matches sandbox indicators (sandbox/vmware/vbox/qemu/analysis/test/user), which is anti-analysis behavior with no legitimate purpose in a payments SDK. Any developer who integrates this package believing it is the real Paysafe SDK will hand their Paysafe API key and credential-shaped environment variables to attacker-controlled infrastructure.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "4db76c1b389e2c8d019eda8a0b6f3b8c28193fd3f9de4abe6234bab1e595e619",
            "id": "IN-MAL-2026-009699",
            "import_time": "2026-07-10T19:02:48.366623496Z",
            "modified_time": "2026-07-10T18:37:21Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / paysafe-checkout

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "e076e13a7e112d364f03bd1ead7abaa83249d544491621254860ab0a73adc9b9",
            "tlsh": "a7614070b2d8a43773608fd598b24025a85e5d403d45f3d7bafc78cd9a531a2c6da83c",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "paysafe-checkout-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-hGOcw3GqsRfz8JdqWAyw6/2nwQpIoANLRjiY8nNhIWyMN6JQkvluDPI6jgyw4RNFyFmxc2q9bBJ3gFVlVS/eeg==",
                "sha1": "4b43e8f16ac78c80ad40cae68ba91b59361ed377"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-checkout/MAL-2026-10167.json"