paysafe-sdk
discovered 2026-07-07PyPI package typosquatting the Paysafe payment SDK. Python port of the npm variant's obfuscation/exfil logic but triggered unconditionally at __init__.py import time (module-level side effect) — NOT gated on a Paysafe API key being set, unlike the npm variant. Harvests environment variables matching KEY/SECRET/TOKEN/PASS/AUTH/API (values truncated to 100 chars) plus host/user/cwd metadata and exfiltrates over HTTPS POST to an ngrok-tunneled C2. Host-fingerprint sandbox evasion (CPU cores <2; hostname/username blocklist) and delayed exfil. C2 hostname recovered via three-step decode using PyPI-specific base64 XOR key 3zWd1Ua8V/wcYtYxZmQZPQ== (distinct from the npm key). Malicious version 1.0.0.
Threat types
Malicious versions
- 1.0.0
Indicators
Techniques
- ttp T1195.001 Compromise Software Dependencies and Development Toolsuses
- ttp T1036 Masqueradinguses
- ttp T1036.005 Masquerading: Match Legitimate Name or Locationuses
- ttp T1497.001 Virtualization/Sandbox Evasion: System Checksuses
- ttp T1497.003 Virtualization/Sandbox Evasion: Time Based Evasionuses
- ttp T1140 Deobfuscate/Decode Files or Informationuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1552 Unsecured Credentialsuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1572 Protocol Tunnelinguses
- ttp T1059.006 Command and Scripting Interpreter: Pythonuses