MAL-2026-10170

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-kyc/MAL-2026-10170.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10170
Published
2026-07-10T18:37:46Z
Modified
2026-07-10T19:16:57.228736615Z
Summary
Malicious code in paysafe-kyc (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (626046f7b80cd91ce41e057b4bdab7b5bbb30b7fbceb0284894287cfd441c624)

The package presents itself as the Paysafe KYC identity verification SDK but does not call any Paysafe API. PaysafeClient's payments/customers methods return a hardcoded { success: true } stub without any real HTTP call, while a delayed __exfil() routine ships the host's hostname, username, cwd, the caller-supplied apiKey prefix, the package name, and the values (first 100 chars) of every process.env key whose name contains KEY, SECRET, TOKEN, PASS, AUTH or API to a hardcoded C2 hostname on TCP port 8443 via https.request. Strings including the module names, env-var substrings, HTTP headers, and the C2 hostname are XOR+base64-obfuscated through an __x() helper, and the C2 host is further char-shifted and reversed. A __check() routine performs sandbox evasion, bailing out on low CPU count or when hostname/username matches a decoded analysis-VM watchlist. The package name, description, and repository URL (github.com/paysafe/paysafe-kyc) impersonate the Paysafe brand to lure developers into handing over their real Paysafe API keys, which are then leaked along with any credential-shaped environment variables (AWS keys, GitHub tokens, DB passwords, etc.) present in the consuming process.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-009702",
            "import_time": "2026-07-10T19:02:48.507405768Z",
            "modified_time": "2026-07-10T18:37:46Z",
            "sha256": "626046f7b80cd91ce41e057b4bdab7b5bbb30b7fbceb0284894287cfd441c624",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / paysafe-kyc

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "paysafe-kyc-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-pri+l3nfi0EXIcL0zO5aHvkXsHW76cHZf00ESrbbkvWlTMCH5+/Xft/le3Z4Eeo/ZO+ODNzbWTQ5D1U8fMDIaQ==",
                "sha1": "68dd02579107e936d4ca2a847876047aada253f7"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "a9615130b2e969377bb04fe568b64046ac8e09013d41f397b67c34cd5e935a5c1ea83c",
            "sha256": "6dc672e3bab8bcf80c66b2f95150067fb47429d4cf65eb95215e5f3abc7cade5",
            "path": "index.js"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-kyc/MAL-2026-10170.json"