OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10538 confirms this npm version as malicious. Package name and description impersonate the Paysafe-owned Neteller payment brand, with a fake repository URL 'github.com/paysafe/neteller'. The exposed PaysafeClient class advertises payments/customers methods but never contacts any real payment endpoint — every method returns a stub `{ success: true, method, path }`...
Advisory
MAL-2026-10538
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in neteller (npm)
Details
Package name and description impersonate the Paysafe-owned Neteller payment brand, with a fake repository URL 'github.com/paysafe/neteller'. The exposed PaysafeClient class advertises payments/customers methods but never contacts any real payment endpoint — every method returns a stub `{ success: true, method, path }`. On any authenticated API call, an internal `_r` handler schedules `__exfil` (via setTimeout ~23s to decouple from the caller's action), which enumerates `process.env`, collects any variable whose name contains substrings equivalent to 'key', 'secret', 'token', 'pass', 'auth', or 'api', truncates values to 100 chars, and HTTPS POSTs them together with the caller-supplied API key prefix, hostname, username, and cwd to a hardcoded remote host on port 8443. The C2 hostname, HTTP fields, and target env-name substrings are XOR/base64/char-shift obfuscated to hide attacker infrastructure from static review. An anti-analysis gate (`__check`) inspects `os.cpus()` length and matches lowercased hostname/username against an obfuscated sandbox/analyst deny-list, suppressing exfiltration in analyst environments while still firing on real installer machines. The combination of brand-impersonation, fake API surface, bulk credential-shaped env scraping, hardcoded obfuscated C2 exfiltration, and sandbox evasion is unambiguous credential-stealer behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms neteller@1.0.0 as malicious (MAL-2026-10538): Malicious code in neteller (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory