Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in paysafe-checkout (npm)

paysafe-checkout

Risk score

92

AI summary

Indexed incident for paysafe-checkout (npm).

Description

Package presents itself as a Paysafe Checkout SDK but is a credential-stealing lure. index.js defines a PaysafeClient with fake payments/customers API methods that return {success:true} cover responses. On any method invocation, _r schedules a delayed (10.8s) __exfil call that POSTs the installer's os.hostname(), os.userInfo().username, process.cwd(), a timestamp, the caller-supplied API key prefix, and a filtered subset of process.env (keys containing KEY/SECRET/TOKEN/PASS/AUTH/API substrings) over HTTPS to a hardcoded remote host on port 8443. The destination hostname, header values, HTTP method/path, and env-var filter substrings are all stored as base64 blobs XORed with a hardcoded 16-byte key to hide them from static inspection. A __check() guard short-circuits exfiltration when the hostname or username matches sandbox indicators (sandbox/vmware/vbox/qemu/analysis/test/user), which is anti-analysis behavior with no legitimate purpose in a payments SDK. Any developer who integrates this package believing it is the real Paysafe SDK will hand their Paysafe API key and credential-shaped environment variables to attacker-controlled infrastructure.

Technical details

Affected versions

=1.0.0

Indicators

  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents