paysafe-vaultnpm
Malicious code in paysafe-vault (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
The package impersonates a Paysafe Customer Vault SDK but is a credential stealer. index.js defines an __exfil() routine that collects os.hostname(), os.userInfo().username, process.cwd(), and every process.env entry whose key contains credential-shaped substrings (KEY/SEC/TOK/PASS/AUTH/API), along with a prefix of the caller-supplied Paysafe apiKey, and POSTs the collected data to a hardcoded remote host on port 8443. The exfiltration is triggered from every PaysafeClient API method (payments., customers.) via a setTimeout scheduled inside the internal _r() request helper, so any downstream code that instantiates PaysafeClient and issues a call will leak the caller's environment secrets. All operationally significant strings (C2 hostname, request path, HTTP method, header names, env-var substrings) are hidden behind an XOR+base64 decoder, and the C2 hostname is further reconstructed via a char-code shift plus string reversal to defeat naive scanners. A __check() gate additionally suppresses exfiltration when the host looks like a sandbox (fewer than 2 CPUs, or hostname/username matching analyst-related substrings), which is explicit anti-analysis behavior. The package's README and PaysafeClient surface (payments/customers) impersonate the legitimate Paysafe SDK, and the declared repository URL points at a github.com/paysafe org path the publisher does not control.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Credential / info stealerFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for paysafe-vault (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging paysafe-vault across your stack and pipelines.
If you installed it — respond
paysafe-vault is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If paysafe-vault was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks paysafe-vault before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks paysafe-vault-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.