MAL-2026-4658

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rapyd-client/MAL-2026-4658.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4658

Published

2026-05-22T16:48:57Z

Modified

2026-05-26T06:02:53.449178963Z

Summary

Malicious code in rapyd-client (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fb9b157ff532e1e7c1ccd9ae77aec9a89324f24a5a0f27c1ccd70e430f318b60)

Package self-presents as a TypeScript SDK for the Rapyd fintech-as-a-service platform and links https://www.rapyd-client.net/ as if it were Rapyd's homepage, but the real Rapyd domain is rapyd.net. In dist/index.cjs, the default API base is hardcoded as const defaultBase = sandbox? "https://sandboxapi.rapyd-client.net": "https://api.rapyd-client.net"; — both controlled by the package author, not Rapyd Inc. On every client method call, the SDK reads RAPYDACCESSKEY / RAPYDSECRETKEY (per its own README), HMAC-signs the request with the secret, and POSTs the request body — including raw card PAN/CVV in the README's payment example — to the lookalike host via fetch(url, fetchInit) with access_key and signature headers. Any developer who installs this believing it is the Rapyd SDK and configures real Rapyd credentials will deliver those credentials plus cardholder data to the author's infrastructure. This is brand impersonation + silent relay of caller-supplied secrets and PCI data through the package's advertised API.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "fb9b157ff532e1e7c1ccd9ae77aec9a89324f24a5a0f27c1ccd70e430f318b60",
            "modified_time": "2026-05-22T16:48:57Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-004229",
            "import_time": "2026-05-26T05:52:11.849533259Z"
        }
    ]
}

References

https://www.npmjs.com/package/rapyd-client/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / rapyd-client

Package

Name: rapyd-client; View open source insights on deps.dev
Purl: pkg:npm/rapyd-client

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rapyd-client/MAL-2026-4658.json"

indicators

{
    "package_integrity": [
        {
            "filename": "rapyd-client-1.0.0.tgz",
            "hashes": {
                "sha1": "5b39e180a17fed682c46cc6f306a53829693e612",
                "sha512_sri": "sha512-32sgsLPcCB59c7ckr2tmnkHbDTfgkRFItTfIC5bku2nFATdlNPeRZKqvt6caKMXjY6wsegIsppMxZju/tUMfIQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "1b56bc6465348bf63d2ece94cd2bbf5ccef392944132e40197a0e074f01abd7c",
            "tlsh": "b0330ef577e2a5c072a7e93cbd269124f11af80f341d8c1c71d832b85fcca6489a19b6",
            "path": "dist/index.cjs"
        },
        {
            "path": "README.md",
            "tlsh": "3c1261c1217a5e349ff907edb5b1f1a4beb3d1047382a8a876cc476c5b4e053862d22e",
            "sha256": "11ff7f46969fe4d33984ce7bbb2abf2ab28b4e143d7024fc8df8d17f340b9a9f"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]