MAL-2026-10169: Malicious code in paysafe-js (npm)
The npm package [email protected] impersonates the legitimate Paysafe JavaScript SDK but contains malicious code that harvests environment variables containing credential-like substrings. It exfiltrates these values along with system metadata to a concealed remote server after evading sandbox detection and delaying execution. This leads to leakage of sensitive installer secrets when integrated by developers expecting a genuine SDK.
AI Analysis
Technical Summary
The malicious npm package [email protected] masquerades as the official Paysafe payments SDK by using the same package name, description, and repository URL. However, its index.js includes obfuscated code that enumerates environment variables, filters keys containing substrings such as key, secret, token, pass, auth, and api, truncates their values, and sends them along with hostname, username, current working directory, package name, and call metadata to a hardcoded command-and-control server on port 8443. The C2 address and transmission details are concealed through multiple layers of encoding and obfuscation. The package also performs sandbox evasion by checking CPU count and user/hostnames and delays data exfiltration by approximately 26 seconds. Any developer using this package expecting the legitimate Paysafe SDK will inadvertently leak sensitive environment credentials to attackers.
Potential Impact
Integration of [email protected] results in unauthorized disclosure of environment variables containing sensitive credentials and secrets. This can lead to compromise of API keys, tokens, passwords, and other authentication material present in the build or runtime environment. The attacker gains access to these secrets remotely via the concealed exfiltration channel, potentially enabling further attacks or unauthorized access to systems and services.
Mitigation Recommendations
No official patch or remediation is currently available for [email protected]. Users should immediately cease using this package and remove it from their projects. Verify the authenticity of packages by checking publisher details and source repositories before installation. Use trusted sources and official SDKs from Paysafe. Monitor for any unauthorized access or credential misuse resulting from this package. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.
MAL-2026-10169: Malicious code in paysafe-js (npm)
Description
The npm package [email protected] impersonates the legitimate Paysafe JavaScript SDK but contains malicious code that harvests environment variables containing credential-like substrings. It exfiltrates these values along with system metadata to a concealed remote server after evading sandbox detection and delaying execution. This leads to leakage of sensitive installer secrets when integrated by developers expecting a genuine SDK.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The malicious npm package [email protected] masquerades as the official Paysafe payments SDK by using the same package name, description, and repository URL. However, its index.js includes obfuscated code that enumerates environment variables, filters keys containing substrings such as key, secret, token, pass, auth, and api, truncates their values, and sends them along with hostname, username, current working directory, package name, and call metadata to a hardcoded command-and-control server on port 8443. The C2 address and transmission details are concealed through multiple layers of encoding and obfuscation. The package also performs sandbox evasion by checking CPU count and user/hostnames and delays data exfiltration by approximately 26 seconds. Any developer using this package expecting the legitimate Paysafe SDK will inadvertently leak sensitive environment credentials to attackers.
Potential Impact
Integration of [email protected] results in unauthorized disclosure of environment variables containing sensitive credentials and secrets. This can lead to compromise of API keys, tokens, passwords, and other authentication material present in the build or runtime environment. The attacker gains access to these secrets remotely via the concealed exfiltration channel, potentially enabling further attacks or unauthorized access to systems and services.
Mitigation Recommendations
No official patch or remediation is currently available for [email protected]. Users should immediately cease using this package and remove it from their projects. Verify the authenticity of packages by checking publisher details and source repositories before installation. Use trusted sources and official SDKs from Paysafe. Monitor for any unauthorized access or credential misuse resulting from this package. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10169
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a520ebf68715ace438f59a6
Added to database: 07/11/2026, 09:37:03 UTC
Last enriched: 07/11/2026, 09:54:44 UTC
Last updated: 07/12/2026, 04:34:03 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.