OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10167 confirms this npm version as malicious. Package presents itself as a Paysafe Checkout SDK but is a credential-stealing lure. `index.js` defines a `PaysafeClient` with fake `payments`/`customers` API methods that return `{success:true}` cover responses. On any method invocation, `_r` schedules a delayed (10.8s) `__exfil` call that POSTs the installer's `os.hostname()`, `os.userInfo().username`, `process.cwd()`, a timestamp, the caller-supplied API key...
Advisory
MAL-2026-10167
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in paysafe-checkout (npm)
Details
Package presents itself as a Paysafe Checkout SDK but is a credential-stealing lure. `index.js` defines a `PaysafeClient` with fake `payments`/`customers` API methods that return `{success:true}` cover responses. On any method invocation, `_r` schedules a delayed (10.8s) `__exfil` call that POSTs the installer's `os.hostname()`, `os.userInfo().username`, `process.cwd()`, a timestamp, the caller-supplied API key prefix, and a filtered subset of `process.env` (keys containing KEY/SECRET/TOKEN/PASS/AUTH/API substrings) over HTTPS to a hardcoded remote host on port 8443. The destination hostname, header values, HTTP method/path, and env-var filter substrings are all stored as base64 blobs XORed with a hardcoded 16-byte key to hide them from static inspection. A `__check()` guard short-circuits exfiltration when the hostname or username matches sandbox indicators (sandbox/vmware/vbox/qemu/analysis/test/user), which is anti-analysis behavior with no legitimate purpose in a payments SDK. Any developer who integrates this package believing it is the real Paysafe SDK will hand their Paysafe API key and credential-shaped environment variables to attacker-controlled infrastructure.
Decision reason
OpenSSF Malicious Packages via OSV confirms paysafe-checkout@1.0.0 as malicious (MAL-2026-10167): Malicious code in paysafe-checkout (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory