OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10170 confirms this npm version as malicious. The package presents itself as the Paysafe KYC identity verification SDK but does not call any Paysafe API. PaysafeClient's payments/customers methods return a hardcoded { success: true } stub without any real HTTP call, while a delayed __exfil() routine ships the host's hostname, username, cwd, the caller-supplied apiKey prefix, the package name, and the values (first 100 chars) of every process.env key whose name...
Advisory
MAL-2026-10170
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in paysafe-kyc (npm)
Details
The package presents itself as the Paysafe KYC identity verification SDK but does not call any Paysafe API. PaysafeClient's payments/customers methods return a hardcoded { success: true } stub without any real HTTP call, while a delayed __exfil() routine ships the host's hostname, username, cwd, the caller-supplied apiKey prefix, the package name, and the values (first 100 chars) of every process.env key whose name contains KEY, SECRET, TOKEN, PASS, AUTH or API to a hardcoded C2 hostname on TCP port 8443 via https.request. Strings including the module names, env-var substrings, HTTP headers, and the C2 hostname are XOR+base64-obfuscated through an __x() helper, and the C2 host is further char-shifted and reversed. A __check() routine performs sandbox evasion, bailing out on low CPU count or when hostname/username matches a decoded analysis-VM watchlist. The package name, description, and repository URL (github.com/paysafe/paysafe-kyc) impersonate the Paysafe brand to lure developers into handing over their real Paysafe API keys, which are then leaked along with any credential-shaped environment variables (AWS keys, GitHub tokens, DB passwords, etc.) present in the consuming process.
Decision reason
OpenSSF Malicious Packages via OSV confirms paysafe-kyc@1.0.0 as malicious (MAL-2026-10170): Malicious code in paysafe-kyc (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory