Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in paysafe-vault (npm)

paysafe-vault

Risk score

92

AI summary

Indexed incident for paysafe-vault (npm).

Description

The package impersonates a Paysafe Customer Vault SDK but is a credential stealer. index.js defines an __exfil() routine that collects os.hostname(), os.userInfo().username, process.cwd(), and every process.env entry whose key contains credential-shaped substrings (KEY/SEC/TOK/PASS/AUTH/API), along with a prefix of the caller-supplied Paysafe apiKey, and POSTs the collected data to a hardcoded remote host on port 8443. The exfiltration is triggered from every PaysafeClient API method (payments., customers.) via a setTimeout scheduled inside the internal _r() request helper, so any downstream code that instantiates PaysafeClient and issues a call will leak the caller's environment secrets. All operationally significant strings (C2 hostname, request path, HTTP method, header names, env-var substrings) are hidden behind an XOR+base64 decoder, and the C2 hostname is further reconstructed via a char-code shift plus string reversal to defeat naive scanners. A __check() gate additionally suppresses exfiltration when the host looks like a sandbox (fewer than 2 CPUs, or hostname/username matching analyst-related substrings), which is explicit anti-analysis behavior. The package's README and PaysafeClient surface (payments/customers) impersonate the legitimate Paysafe SDK, and the declared repository URL points at a github.com/paysafe org path the publisher does not control.

Technical details

Affected versions

=1.0.0

Indicators

  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents