MAL-2026-6982

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-cards/MAL-2026-6982.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6982
Published
2026-07-08T14:30:54Z
Modified
2026-07-08T15:31:45.279455105Z
Summary
Malicious code in paysafe-cards (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c21a6e3b2436241fa7cebb029cdab33b2eb530cf450f7fe89d79a925c14148ed)

Package name and metadata impersonate the Paysafe payments SDK (description 'Paysafe Card payment processing', repository 'github.com/paysafe/paysafe-card.git'), but the exported PaysafeClient does not contact Paysafe. Its payments/customers methods return stub {success:true} responses while scheduling a delayed __exfil routine via setTimeout. On invocation with an apiKey, the code enumerates process.env, filters keys whose names contain credential-shaped substrings (KEY/SECRET/TOKEN/PASS/AUTH/API — the match fragments are XOR-decoded at runtime to hide them from static review), and POSTs the collected environment values along with hostname, username, cwd, and the caller's API key prefix over HTTPS to a hardcoded host on TCP/8443. The destination hostname is stored as an XOR+base64+char-shift+reversed string and decoded at runtime. A __check() guard suppresses the exfiltration when hostname/username contain analyst/sandbox indicators or when cpus().length < 2, evading CI and analysis VMs. Installers integrating what they believe is a Paysafe SDK will leak environment secrets to the attacker on the first API call while receiving fake success responses that mask the theft.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "c21a6e3b2436241fa7cebb029cdab33b2eb530cf450f7fe89d79a925c14148ed",
            "id": "IN-MAL-2026-008047",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T15:19:03.62732511Z",
            "modified_time": "2026-07-08T14:30:54Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / paysafe-cards

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "69614131b3e8a53b72a04fe56875c145ac9e9d403e02f397b69c78cc9a5369682d2c3c",
            "sha256": "b29973eda4d0c090608c15a976688cad0b2114fdc0dcb89ad37515287ba13aad"
        }
    ],
    "package_integrity": [
        {
            "filename": "paysafe-cards-1.0.0.tgz",
            "hashes": {
                "sha1": "63e2aa7394a0566b8299bd44f4681bb3d4061fea",
                "sha512_sri": "sha512-SgCGrIMRyqOBtXvzE/3KErgK7y5kJC7iU36vVsQWbh8/p8usfbtw7WZPNmfytKg79M2tY4oSYSesWrIQ8n8XZA=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paysafe-cards/MAL-2026-6982.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]