MAL-2026-10172

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-payments/MAL-2026-10172.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10172
Published
2026-07-10T18:38:06Z
Modified
2026-07-10T19:16:58.270635569Z
Summary
Malicious code in paysafe-payments (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (68b2f9f90c8f2efd9e304e6ab0271ac2378954fe724134b4daa4649622a0f416)

The package presents itself as a Paysafe payments SDK (PaysafeClient with payments.create/get and customers.create/get methods) but its index.js contains an XOR+base64-obfuscated exfiltration routine. When a consumer constructs PaysafeClient and calls any of its methods, the code decodes hidden strings at runtime, collects the host's hostname, username, cwd, and filters process.env for keys containing KEY/SECRET/TOKEN/PASS/AUTH/API, then POSTs the collected JSON to a hardcoded remote host on port 8443. A sandbox-evasion gate (low CPU count check plus hostname/username substring match against a decoded list of analysis-environment indicators) suppresses the exfil on likely analysis hosts, confirming hostile intent. The package name and API surface impersonate the legitimate Paysafe payments SDK, making this a typosquat lure whose payload steals installer credentials. All sensitive strings (C2 hostname, HTTP method, headers, env-key substrings, sandbox indicators) are stored as base64 blobs XOR-decoded via a helper function with a base64-encoded key, solely to hide the exfil behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "68b2f9f90c8f2efd9e304e6ab0271ac2378954fe724134b4daa4649622a0f416",
            "id": "IN-MAL-2026-009704",
            "import_time": "2026-07-10T19:02:48.620097687Z",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-07-10T18:38:06Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / paysafe-payments

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "paysafe-payments-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-03c6fj5onaJcraKySWhduGgVTQWqVwTm8IsrDDBe5CMh5FfYocu+UF6MPv4pXnJbGFtF1P4cpqEkYmbCQBHZ9A==",
                "sha1": "6a4477c34f94c04cccf35904f9918e0daa940ad4"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "9727c804c4354e481d2ff9d4934bd1b2518293a9ca34a14f5c7ae9d0cd30ce94",
            "tlsh": "75611130f2d865377b608fe55cb18451a85a5d013d06f393bb7c78cd5e939a182d687c",
            "path": "index.js"
        },
        {
            "sha256": "5596d41341679f18c432b4f906803f2e8885277c8bd65ff9886294aa327da2c4",
            "tlsh": "93f02b33e9905d2311fa975198748203b7214f1fa9704c0b3aff501c8b6297318ddb1d",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-payments/MAL-2026-10172.json"