-= Per source details. Do not edit below this line.=-
paysafe-js@1.0.0 impersonates a Paysafe payments SDK (package name, description "Paysafe JavaScript SDK", and repository URL github.com/paysafe/paysafe-js) but its index.js contains XOR+base64-obfuscated logic that harvests installer secrets. When a consumer invokes the SDK's payments/customers methods with an apiKey configured, the code enumerates process.env, selects keys whose names contain substrings like key/secret/token/pass/auth/api, truncates each value to 100 characters, and POSTs the collected values along with hostname, username, cwd, package name, and call metadata to a hardcoded remote host on port 8443. The C2 hostname is concealed via a base64 + char-shift(-5) + reverse pipeline; HTTP method, headers, path, and env-key filter substrings are hidden with a raw XOR key decoded from base64. A sandbox-evasion gate (CPU count and hostname/username substring checks) and a delayed setTimeout (~26 seconds) precede transmission. Any developer who integrates this package expecting the Paysafe SDK will leak the credential-shaped environment variables of their build or runtime environment to the attacker.
{
"malicious-packages-origins": [
{
"sha256": "a1dc1a7847e47ee850fe8a4011ce83950962ab65cc742eb52919d13abe431e59",
"id": "IN-MAL-2026-009700",
"modified_time": "2026-07-10T18:37:30Z",
"versions": [
"1.0.0"
],
"import_time": "2026-07-10T19:02:48.420057646Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369",
"tlsh": "6a618230b1e9a53737b04fe18d7a44059d5e4c423d85b3a3b6ac78ce9a532e2d1d687c",
"path": "index.js"
},
{
"sha256": "9ec3b25c938a9e2d035bfcf76ac1cd1f4919e04de3cbcc4aa0246d86d19173c8",
"tlsh": "22e02233ce908d2309b697918c358241b3712f1f68208c0fb6fb001c87626b709dab6c",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "paysafe-js-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-8wMpTm4NP0WBIqGAMtRCbIhOCTVCXskYRGVxkZBHfkW8zEOkoEZ3iUj9i5/NYbmV0Uo2t07+TKLdKcj/moF+8A==",
"sha1": "eef336670fda94ee5cfd32a83972bb3f73a0b49c"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-js/MAL-2026-10169.json"