paysafe-vault
discovered 2026-07-07npm package typosquatting the Paysafe payment SDK. Exports a fake PaysafeClient that mimics the real Paysafe REST SDK surface (payments.create/get, customers.create/get) and returns {success:true,...} without ever calling a real endpoint (camouflage only). On use it harvests environment variables whose key contains KEY/SECRET/TOKEN/PASS/AUTH/API (each value truncated to 100 chars) plus hostname/username/cwd/timestamp/package name and, when a Paysafe API key is configured, the first 10 chars of that key, then exfiltrates via HTTPS POST (application/json) to an ngrok-tunneled C2. Gated behind host-fingerprint sandbox evasion (CPU cores <2; hostname/username substring blocklist sandbox/analyzer/cuckoo/virus/malware/vmware/vbox) and an ~11768 ms setTimeout delay. C2 hostname is recovered at runtime via a three-step decode: base64 XOR (key SGf6lmbr7GHUg99Z6R2U3g==) then per-char subtract-17 then string reverse. Obfuscation key rotated per build. Malicious versions 1.0.0-1.0.3.
Threat types
Malicious versions
- 1.0.0
- 1.0.1
- 1.0.2
- 1.0.3