MAL-2026-4658
Vulnerability from ossf_malicious_packages
Published
2026-05-22 16:48
Modified
2026-05-22 16:48
Summary
Malicious code in rapyd-client (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fb9b157ff532e1e7c1ccd9ae77aec9a89324f24a5a0f27c1ccd70e430f318b60)

Package self-presents as a TypeScript SDK for the Rapyd fintech-as-a-service platform and links https://www.rapyd-client.net/ as if it were Rapyd's homepage, but the real Rapyd domain is rapyd.net. In dist/index.cjs, the default API base is hardcoded as const defaultBase = sandbox? "https://sandboxapi.rapyd-client.net": "https://api.rapyd-client.net"; — both controlled by the package author, not Rapyd Inc. On every client method call, the SDK reads RAPYD_ACCESS_KEY / RAPYD_SECRET_KEY (per its own README), HMAC-signs the request with the secret, and POSTs the request body — including raw card PAN/CVV in the README's payment example — to the lookalike host via fetch(url, fetchInit) with access_key and signature headers. Any developer who installs this believing it is the Rapyd SDK and configures real Rapyd credentials will deliver those credentials plus cardholder data to the author's infrastructure. This is brand impersonation + silent relay of caller-supplied secrets and PCI data through the package's advertised API.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector actran@amazon.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "dist/index.cjs",
              "sha256": "1b56bc6465348bf63d2ece94cd2bbf5ccef392944132e40197a0e074f01abd7c",
              "tlsh": "b0330ef577e2a5c072a7e93cbd269124f11af80f341d8c1c71d832b85fcca6489a19b6"
            },
            {
              "path": "README.md",
              "sha256": "11ff7f46969fe4d33984ce7bbb2abf2ab28b4e143d7024fc8df8d17f340b9a9f",
              "tlsh": "3c1261c1217a5e349ff907edb5b1f1a4beb3d1047382a8a876cc476c5b4e053862d22e"
            }
          ],
          "package_integrity": [
            {
              "filename": "rapyd-client-1.0.0.tgz",
              "hashes": {
                "sha1": "5b39e180a17fed682c46cc6f306a53829693e612",
                "sha512_sri": "sha512-32sgsLPcCB59c7ckr2tmnkHbDTfgkRFItTfIC5bku2nFATdlNPeRZKqvt6caKMXjY6wsegIsppMxZju/tUMfIQ=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "rapyd-client"
      },
      "versions": [
        "1.0.0"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "actran@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-004229",
        "import_time": "2026-05-26T05:52:11.849533259Z",
        "modified_time": "2026-05-22T16:48:57Z",
        "sha256": "fb9b157ff532e1e7c1ccd9ae77aec9a89324f24a5a0f27c1ccd70e430f318b60",
        "source": "amazon-inspector",
        "versions": [
          "1.0.0"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fb9b157ff532e1e7c1ccd9ae77aec9a89324f24a5a0f27c1ccd70e430f318b60)\nPackage self-presents as a TypeScript SDK for the Rapyd fintech-as-a-service platform and links https://www.rapyd-client.net/ as if it were Rapyd\u0027s homepage, but the real Rapyd domain is rapyd.net. In dist/index.cjs, the default API base is hardcoded as `const defaultBase = sandbox? \"https://sandboxapi.rapyd-client.net\": \"https://api.rapyd-client.net\";` \u2014 both controlled by the package author, not Rapyd Inc. On every client method call, the SDK reads RAPYD_ACCESS_KEY / RAPYD_SECRET_KEY (per its own README), HMAC-signs the request with the secret, and POSTs the request body \u2014 including raw card PAN/CVV in the README\u0027s payment example \u2014 to the lookalike host via `fetch(url, fetchInit)` with `access_key` and `signature` headers. Any developer who installs this believing it is the Rapyd SDK and configures real Rapyd credentials will deliver those credentials plus cardholder data to the author\u0027s infrastructure. This is brand impersonation + silent relay of caller-supplied secrets and PCI data through the package\u0027s advertised API.\n",
  "id": "MAL-2026-4658",
  "modified": "2026-05-22T16:48:57Z",
  "published": "2026-05-22T16:48:57Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/rapyd-client/v/1.0.0"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in rapyd-client (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.