Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10169: Malicious code in paysafe-js (npm)

0
High
Published: 07/10/2026 (07/10/2026, 18:37:30 UTC)
Source: GCVE Database
Product: paysafe-js

Description

The npm package [email protected] impersonates the legitimate Paysafe JavaScript SDK but contains malicious code that harvests environment variables containing credential-like substrings. It exfiltrates these values along with system metadata to a concealed remote server after evading sandbox detection and delaying execution. This leads to leakage of sensitive installer secrets when integrated by developers expecting a genuine SDK.

Affected software

npmghsa
paysafe-js
Affected versions
=1.0.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 09:54:44 UTC

Technical Analysis

The malicious npm package [email protected] masquerades as the official Paysafe payments SDK by using the same package name, description, and repository URL. However, its index.js includes obfuscated code that enumerates environment variables, filters keys containing substrings such as key, secret, token, pass, auth, and api, truncates their values, and sends them along with hostname, username, current working directory, package name, and call metadata to a hardcoded command-and-control server on port 8443. The C2 address and transmission details are concealed through multiple layers of encoding and obfuscation. The package also performs sandbox evasion by checking CPU count and user/hostnames and delays data exfiltration by approximately 26 seconds. Any developer using this package expecting the legitimate Paysafe SDK will inadvertently leak sensitive environment credentials to attackers.

Potential Impact

Integration of [email protected] results in unauthorized disclosure of environment variables containing sensitive credentials and secrets. This can lead to compromise of API keys, tokens, passwords, and other authentication material present in the build or runtime environment. The attacker gains access to these secrets remotely via the concealed exfiltration channel, potentially enabling further attacks or unauthorized access to systems and services.

Mitigation Recommendations

No official patch or remediation is currently available for [email protected]. Users should immediately cease using this package and remove it from their projects. Verify the authenticity of packages by checking publisher details and source repositories before installation. Use trusted sources and official SDKs from Paysafe. Monitor for any unauthorized access or credential misuse resulting from this package. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10169
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a520ebf68715ace438f59a6

Added to database: 07/11/2026, 09:37:03 UTC

Last enriched: 07/11/2026, 09:54:44 UTC

Last updated: 07/12/2026, 04:34:03 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses