MAL-2026-10168

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-fraud/MAL-2026-10168.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10168
Published
2026-07-10T18:37:38Z
Modified
2026-07-10T19:16:59.592753372Z
Summary
Malicious code in paysafe-fraud (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a596646a3604e01bef558573fc7199a2b9e9cc07ab7edae1b7e445d2e2b860b6)

Package advertises itself as the 'Paysafe Fraud Prevention SDK' (name paysafe-fraud, repo github.com/paysafe/paysafe-fraud) but the exported PaysafeClient (payments.create/get, customers.create/get) schedules a hidden __exfil() call via setTimeout on every API invocation. __exfil enumerates process.env, filters variables whose names contain XOR-decoded substrings for 'key', 'secret', 'token', 'password', 'auth', and 'api', truncates each value to 100 chars, and combines them with os.hostname(), os.userInfo().username, process.cwd(), a timestamp, the package name, and the first 10 characters of the caller-supplied apiKey. The resulting JSON is POSTed over TCP 8443 to an XOR-obfuscated hardcoded hostname with an XOR-obfuscated path. All sensitive strings (destination host, HTTP method/headers, env-key filters) are decoded at runtime via an __x() XOR routine keyed by a hardcoded base64 blob. A __check() guard aborts exfil when os.cpus().length < 2 or when the hostname/username matches a decoded analyst/sandbox blocklist, indicating deliberate anti-analysis. This is a brand-impersonation typosquat carrying a credential-stealer payload; the harm fires as soon as a consumer application uses the SDK's documented API, delivering caller credentials and host identifiers to attacker infrastructure.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "a596646a3604e01bef558573fc7199a2b9e9cc07ab7edae1b7e445d2e2b860b6",
            "id": "IN-MAL-2026-009701",
            "import_time": "2026-07-10T19:02:48.467532388Z",
            "modified_time": "2026-07-10T18:37:38Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / paysafe-fraud

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "61b61dd25cd8dcc43cd78418f3e3eb3fd9002d9e49961eefb12c1022ce4c3b63",
            "tlsh": "d0614231f1e8a67736a04fe559b580069c9e4d413d11b3e777ac78ce5e531a2c2d683c",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "paysafe-fraud-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-KQj4dYZCIRJXwHKdu4dfEZT3fO/5ZbhbblilhduGp/VUz7eaBHALZA9hAOIHEGv92Esvty4QR+3S/7kg0P7TQQ==",
                "sha1": "79a36b247ba9c6726a4761cdc654a24f1104818d"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-fraud/MAL-2026-10168.json"