paysafe-apinpm
Malicious code in paysafe-api (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
The package presents itself as a Paysafe REST SDK (PaysafeClient with payments and customers methods) but the SDK methods are stubs that return {success:true} while scheduling a covert exfiltration call whenever an apiKey is configured. The __exfil helper collects os.hostname(), os.userInfo().username, process.cwd(), a filtered subset of process.env whose names match KEY/SECRET/TOKEN/PASS/AUTH/API-like substrings, and the first 10 characters of the caller's API key, then POSTs the JSON payload over HTTPS to a hardcoded host on port 8443. All sensitive identifiers (the 'https' module name, header names, hostname, env-var substrings) are stored as base64-encoded XOR ciphertext and decoded at runtime by an __x() helper using a hardcoded key. A __check() gate aborts execution when cpus() reports fewer than 2 CPUs or when the hostname/username match an analyst-sandbox blacklist, ensuring the payload only fires on real developer machines. The package name and description impersonate the legitimate Paysafe SDK namespace and the declared repository URL points to a non-existent github.com/paysafe/paysafe-api repo. Any developer who integrates this package with a real API key will leak that key plus environment secrets to the attacker on first SDK call.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Credential / info stealerFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for paysafe-api (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging paysafe-api across your stack and pipelines.
If you installed it — respond
paysafe-api is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If paysafe-api was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks paysafe-api before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks paysafe-api-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.