MAL-2026-10169

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-js/MAL-2026-10169.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10169
Published
2026-07-10T18:37:30Z
Modified
2026-07-10T19:16:57.075017448Z
Summary
Malicious code in paysafe-js (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a1dc1a7847e47ee850fe8a4011ce83950962ab65cc742eb52919d13abe431e59)

paysafe-js@1.0.0 impersonates a Paysafe payments SDK (package name, description "Paysafe JavaScript SDK", and repository URL github.com/paysafe/paysafe-js) but its index.js contains XOR+base64-obfuscated logic that harvests installer secrets. When a consumer invokes the SDK's payments/customers methods with an apiKey configured, the code enumerates process.env, selects keys whose names contain substrings like key/secret/token/pass/auth/api, truncates each value to 100 characters, and POSTs the collected values along with hostname, username, cwd, package name, and call metadata to a hardcoded remote host on port 8443. The C2 hostname is concealed via a base64 + char-shift(-5) + reverse pipeline; HTTP method, headers, path, and env-key filter substrings are hidden with a raw XOR key decoded from base64. A sandbox-evasion gate (CPU count and hostname/username substring checks) and a delayed setTimeout (~26 seconds) precede transmission. Any developer who integrates this package expecting the Paysafe SDK will leak the credential-shaped environment variables of their build or runtime environment to the attacker.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "a1dc1a7847e47ee850fe8a4011ce83950962ab65cc742eb52919d13abe431e59",
            "id": "IN-MAL-2026-009700",
            "modified_time": "2026-07-10T18:37:30Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-07-10T19:02:48.420057646Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / paysafe-js

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369",
            "tlsh": "6a618230b1e9a53737b04fe18d7a44059d5e4c423d85b3a3b6ac78ce9a532e2d1d687c",
            "path": "index.js"
        },
        {
            "sha256": "9ec3b25c938a9e2d035bfcf76ac1cd1f4919e04de3cbcc4aa0246d86d19173c8",
            "tlsh": "22e02233ce908d2309b697918c358241b3712f1f68208c0fb6fb001c87626b709dab6c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "paysafe-js-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-8wMpTm4NP0WBIqGAMtRCbIhOCTVCXskYRGVxkZBHfkW8zEOkoEZ3iUj9i5/NYbmV0Uo2t07+TKLdKcj/moF+8A==",
                "sha1": "eef336670fda94ee5cfd32a83972bb3f73a0b49c"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-js/MAL-2026-10169.json"