Skip to content

MALICIOUS (1) campaign cataloged at 2026-07-07(2).

  1. The campaign has clearly malicious intent, like infostealers.
  2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-07-paysafe-api

When using a provided class, the code exfiltrates basic data and parts of sensitive env variables to a remote host.

Abuse categories

action-hidden-in-lib-usage

The malicious action is hidden in the code and starts when user interacts with it (e.g. during class initialization or by exfiltrating given credentials).

dependency-confusion

An attempt to exploit dependency confusion

exfiltration_env_variables

Campaign uses exfiltration_env_variables.

obfuscation

Code uses obfuscation techniques to hide its true purpose.

sandbox-detection

The package contains code to detect if it is running in a sandbox environment.

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

  • caliber-spinner-finishing.ngrok-free.dev

Packages in the campaign

campaign:2026-07-paysafe-api