paysafe-api
discovered 2026-07-07PyPI package typosquatting the Paysafe payment SDK. Python port of the npm variant's obfuscation/exfil logic but triggered unconditionally at __init__.py import time (module-level side effect) — NOT gated on a Paysafe API key being set, unlike the npm variant. Harvests environment variables matching KEY/SECRET/TOKEN/PASS/AUTH/API (values truncated to 100 chars) plus host/user/cwd metadata and exfiltrates over HTTPS POST to an ngrok-tunneled C2. Host-fingerprint sandbox evasion (CPU cores <2; hostname/username blocklist) and delayed exfil. C2 hostname recovered via three-step decode using PyPI-specific base64 XOR key 3zWd1Ua8V/wcYtYxZmQZPQ== (distinct from the npm key). Malicious version 1.0.0.
Threat types
Malicious versions
- 1.0.0