paysafe-checkout
discovered 2026-07-07npm package typosquatting the Paysafe payment SDK. Exports a fake PaysafeClient that mimics the real Paysafe REST SDK surface (payments.create/get, customers.create/get) and returns {success:true,...} without ever calling a real endpoint (camouflage only). On use it harvests environment variables whose key contains KEY/SECRET/TOKEN/PASS/AUTH/API (each value truncated to 100 chars) plus hostname/username/cwd/timestamp/package name and, when a Paysafe API key is configured, the first 10 chars of that key, then exfiltrates via HTTPS POST (application/json) to an ngrok-tunneled C2. Gated behind host-fingerprint sandbox evasion (CPU cores <2; hostname/username substring blocklist sandbox/analyzer/cuckoo/virus/malware/vmware/vbox) and an ~11768 ms setTimeout delay. C2 hostname is recovered at runtime via a three-step decode: base64 XOR (key SGf6lmbr7GHUg99Z6R2U3g==) then per-char subtract-17 then string reverse. Obfuscation key rotated per build. Malicious versions 1.0.0-1.0.3.
Threat types
Malicious versions
- 1.0.0
- 1.0.1
- 1.0.2
- 1.0.3
Indicators
Techniques
- ttp T1195.001 Compromise Software Dependencies and Development Toolsuses
- ttp T1036 Masqueradinguses
- ttp T1036.005 Masquerading: Match Legitimate Name or Locationuses
- ttp T1497.001 Virtualization/Sandbox Evasion: System Checksuses
- ttp T1497.003 Virtualization/Sandbox Evasion: Time Based Evasionuses
- ttp T1140 Deobfuscate/Decode Files or Informationuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1552 Unsecured Credentialsuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1572 Protocol Tunnelinguses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses