OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6982 confirms this npm version as malicious. Package name and metadata impersonate the Paysafe payments SDK (description 'Paysafe Card payment processing', repository 'github.com/paysafe/paysafe-card.git'), but the exported PaysafeClient does not contact Paysafe. Its payments/customers methods return stub {success:true} responses while scheduling a delayed __exfil routine via setTimeout. On invocation with an apiKey, the code enumerates process.env, filters...
Advisory
MAL-2026-6982
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in paysafe-cards (npm)
Details
Package name and metadata impersonate the Paysafe payments SDK (description 'Paysafe Card payment processing', repository 'github.com/paysafe/paysafe-card.git'), but the exported PaysafeClient does not contact Paysafe. Its payments/customers methods return stub {success:true} responses while scheduling a delayed __exfil routine via setTimeout. On invocation with an apiKey, the code enumerates process.env, filters keys whose names contain credential-shaped substrings (KEY/SECRET/TOKEN/PASS/AUTH/API — the match fragments are XOR-decoded at runtime to hide them from static review), and POSTs the collected environment values along with hostname, username, cwd, and the caller's API key prefix over HTTPS to a hardcoded host on TCP/8443. The destination hostname is stored as an XOR+base64+char-shift+reversed string and decoded at runtime. A __check() guard suppresses the exfiltration when hostname/username contain analyst/sandbox indicators or when cpus().length < 2, evading CI and analysis VMs. Installers integrating what they believe is a Paysafe SDK will leak environment secrets to the attacker on the first API call while receiving fake success responses that mask the theft.
Decision reason
OpenSSF Malicious Packages via OSV confirms paysafe-cards@1.0.0 as malicious (MAL-2026-6982): Malicious code in paysafe-cards (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory