Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10172: Malicious code in paysafe-payments (npm)

0
High
Published: 07/10/2026 (07/10/2026, 18:38:06 UTC)
Source: GCVE Database
Product: paysafe-payments

Description

The npm package paysafe-payments version 1.0.0 is a malicious typosquatting package impersonating the legitimate Paysafe payments SDK. It contains obfuscated code that exfiltrates sensitive environment information, including host details and environment variables with keys related to credentials, to a hardcoded remote server. The package includes sandbox evasion techniques to avoid detection in analysis environments. This threat targets installer credentials by masquerading as a trusted SDK.

Affected software

npmghsa
paysafe-payments
Affected versions
=1.0.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 09:54:00 UTC

Technical Analysis

The paysafe-payments npm package (version 1.0.0) is a malicious typosquat that mimics the Paysafe payments SDK API surface. Its index.js contains XOR and base64 obfuscated code that, when the PaysafeClient is instantiated and its methods called, collects the hostname, username, current working directory, and environment variables containing sensitive keys (e.g., KEY, SECRET, TOKEN, PASS, AUTH, API). This data is encoded as JSON and sent via HTTP POST to a hardcoded command-and-control server on port 8443. The package employs sandbox evasion by checking CPU count and matching hostname/username against a list of known analysis environment indicators, suppressing exfiltration if detected. All sensitive strings are stored obfuscated to conceal malicious behavior.

Potential Impact

This malicious package can lead to credential theft by exfiltrating environment variables and host information from systems where it is installed and executed. The stolen data may include API keys, tokens, passwords, and other secrets, potentially compromising downstream services and infrastructure that rely on these credentials.

Mitigation Recommendations

No official patch or remediation is currently available. Users should avoid installing or using the paysafe-payments package version 1.0.0 from npm. Verify package authenticity by checking the publisher and using the legitimate Paysafe SDK from trusted sources. Remove any instances of this malicious package from your environment. Monitor for any suspicious outbound connections to unknown hosts on port 8443. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for updates.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10172
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a520ebf68715ace438f599a

Added to database: 07/11/2026, 09:37:03 UTC

Last enriched: 07/11/2026, 09:54:00 UTC

Last updated: 07/12/2026, 03:35:55 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses