-= Per source details. Do not edit below this line.=-
The package presents itself as a Paysafe payments SDK (PaysafeClient with payments.create/get and customers.create/get methods) but its index.js contains an XOR+base64-obfuscated exfiltration routine. When a consumer constructs PaysafeClient and calls any of its methods, the code decodes hidden strings at runtime, collects the host's hostname, username, cwd, and filters process.env for keys containing KEY/SECRET/TOKEN/PASS/AUTH/API, then POSTs the collected JSON to a hardcoded remote host on port 8443. A sandbox-evasion gate (low CPU count check plus hostname/username substring match against a decoded list of analysis-environment indicators) suppresses the exfil on likely analysis hosts, confirming hostile intent. The package name and API surface impersonate the legitimate Paysafe payments SDK, making this a typosquat lure whose payload steals installer credentials. All sensitive strings (C2 hostname, HTTP method, headers, env-key substrings, sandbox indicators) are stored as base64 blobs XOR-decoded via a helper function with a base64-encoded key, solely to hide the exfil behavior.
{
"malicious-packages-origins": [
{
"sha256": "68b2f9f90c8f2efd9e304e6ab0271ac2378954fe724134b4daa4649622a0f416",
"id": "IN-MAL-2026-009704",
"import_time": "2026-07-10T19:02:48.620097687Z",
"versions": [
"1.0.0"
],
"modified_time": "2026-07-10T18:38:06Z",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "paysafe-payments-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-03c6fj5onaJcraKySWhduGgVTQWqVwTm8IsrDDBe5CMh5FfYocu+UF6MPv4pXnJbGFtF1P4cpqEkYmbCQBHZ9A==",
"sha1": "6a4477c34f94c04cccf35904f9918e0daa940ad4"
}
}
],
"evidence_files": [
{
"sha256": "9727c804c4354e481d2ff9d4934bd1b2518293a9ca34a14f5c7ae9d0cd30ce94",
"tlsh": "75611130f2d865377b608fe55cb18451a85a5d013d06f393bb7c78cd5e939a182d687c",
"path": "index.js"
},
{
"sha256": "5596d41341679f18c432b4f906803f2e8885277c8bd65ff9886294aa327da2c4",
"tlsh": "93f02b33e9905d2311fa975198748203b7214f1fa9704c0b3aff501c8b6297318ddb1d",
"path": "package.json"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-payments/MAL-2026-10172.json"