-= Per source details. Do not edit below this line.=-
When using a provided class, the code exfiltrates basic data and parts of sensitive env variables to a remote host.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-paysafe-api
Reasons (based on the campaign):
exfiltration-env-variables
dependency-confusion
action-hidden-in-lib-usage
The package contains code to detect if it is running in a sandbox environment.
obfuscation
{
"iocs": {
"domains": [
"caliber-spinner-finishing.ngrok-free.dev"
]
},
"malicious-packages-origins": [
{
"sha256": "cc8e13806589e7fbb3dbe284624b88d6de8c030f32c04c20f8c76af059f33515",
"id": "pypi/2026-07-paysafe-api/paysafe-payments",
"source": "kam193",
"import_time": "2026-07-07T15:30:57.593031525Z",
"modified_time": "2026-07-07T15:22:35.970045Z",
"versions": [
"1.0.0"
]
},
{
"modified_time": "2026-07-07T15:22:35.970045Z",
"id": "pypi/2026-07-paysafe-api/paysafe-payments",
"source": "kam193",
"import_time": "2026-07-07T22:55:28.726723418Z",
"sha256": "f36b53b707131144693edb59b95fe127d3b0dbbcd621691792247e3e9a33428c",
"versions": [
"1.0.0"
]
}
]
}