MAL-2026-10172: Malicious code in paysafe-payments (npm)
The npm package paysafe-payments version 1.0.0 is a malicious typosquatting package impersonating the legitimate Paysafe payments SDK. It contains obfuscated code that exfiltrates sensitive environment information, including host details and environment variables with keys related to credentials, to a hardcoded remote server. The package includes sandbox evasion techniques to avoid detection in analysis environments. This threat targets installer credentials by masquerading as a trusted SDK.
AI Analysis
Technical Summary
The paysafe-payments npm package (version 1.0.0) is a malicious typosquat that mimics the Paysafe payments SDK API surface. Its index.js contains XOR and base64 obfuscated code that, when the PaysafeClient is instantiated and its methods called, collects the hostname, username, current working directory, and environment variables containing sensitive keys (e.g., KEY, SECRET, TOKEN, PASS, AUTH, API). This data is encoded as JSON and sent via HTTP POST to a hardcoded command-and-control server on port 8443. The package employs sandbox evasion by checking CPU count and matching hostname/username against a list of known analysis environment indicators, suppressing exfiltration if detected. All sensitive strings are stored obfuscated to conceal malicious behavior.
Potential Impact
This malicious package can lead to credential theft by exfiltrating environment variables and host information from systems where it is installed and executed. The stolen data may include API keys, tokens, passwords, and other secrets, potentially compromising downstream services and infrastructure that rely on these credentials.
Mitigation Recommendations
No official patch or remediation is currently available. Users should avoid installing or using the paysafe-payments package version 1.0.0 from npm. Verify package authenticity by checking the publisher and using the legitimate Paysafe SDK from trusted sources. Remove any instances of this malicious package from your environment. Monitor for any suspicious outbound connections to unknown hosts on port 8443. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for updates.
MAL-2026-10172: Malicious code in paysafe-payments (npm)
Description
The npm package paysafe-payments version 1.0.0 is a malicious typosquatting package impersonating the legitimate Paysafe payments SDK. It contains obfuscated code that exfiltrates sensitive environment information, including host details and environment variables with keys related to credentials, to a hardcoded remote server. The package includes sandbox evasion techniques to avoid detection in analysis environments. This threat targets installer credentials by masquerading as a trusted SDK.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The paysafe-payments npm package (version 1.0.0) is a malicious typosquat that mimics the Paysafe payments SDK API surface. Its index.js contains XOR and base64 obfuscated code that, when the PaysafeClient is instantiated and its methods called, collects the hostname, username, current working directory, and environment variables containing sensitive keys (e.g., KEY, SECRET, TOKEN, PASS, AUTH, API). This data is encoded as JSON and sent via HTTP POST to a hardcoded command-and-control server on port 8443. The package employs sandbox evasion by checking CPU count and matching hostname/username against a list of known analysis environment indicators, suppressing exfiltration if detected. All sensitive strings are stored obfuscated to conceal malicious behavior.
Potential Impact
This malicious package can lead to credential theft by exfiltrating environment variables and host information from systems where it is installed and executed. The stolen data may include API keys, tokens, passwords, and other secrets, potentially compromising downstream services and infrastructure that rely on these credentials.
Mitigation Recommendations
No official patch or remediation is currently available. Users should avoid installing or using the paysafe-payments package version 1.0.0 from npm. Verify package authenticity by checking the publisher and using the legitimate Paysafe SDK from trusted sources. Remove any instances of this malicious package from your environment. Monitor for any suspicious outbound connections to unknown hosts on port 8443. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10172
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a520ebf68715ace438f599a
Added to database: 07/11/2026, 09:37:03 UTC
Last enriched: 07/11/2026, 09:54:00 UTC
Last updated: 07/12/2026, 03:35:55 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.