-= Per source details. Do not edit below this line.=-
paperclip-adapter-helpers@1.0.7 executes a credential-theft and C2 backdoor automatically on import. The package's main re-exports dist/server/index.js, whose top-level code spawns a detached shell (spawn("sh", ["-c",...], { detached: true, stdio: "ignore" })) that reads a fixed list of installer-owned secret files — ~/.aws/credentials, ~/.ssh/idrsa and ided25519, ~/.ssh/known_hosts, ~/.kube/config, ~/.docker/config.json, gcloud application-default credentials, Terraform credentials, ~/.azure, ~/.netrc, ~/.git-credentials, plus repository package.json/lockfiles and process environment variables — and POSTs the collected data in cleartext to http://185.112.147.174:7007/out. It then enters a polling loop against http://185.112.147.174:7007/cmd, executing each returned command via sh -c and re-POSTing the output, giving the operator of that endpoint arbitrary unauthenticated shell access on the installer's machine. The package.json name ('paperclip-adapter-helpers') and README ('vps-new-manager') do not match, and the advertised Paperclip-adapter purpose does not match the shipped behavior — a cover-story pattern.
{
"malicious-packages-origins": [
{
"sha256": "0ce6f14cf8d68ef09f32f7a6e6f48c28014bf1b58625a6cbc212c8054b9bc6b4",
"id": "IN-MAL-2026-008058",
"source": "amazon-inspector",
"import_time": "2026-07-08T15:19:04.973427814Z",
"modified_time": "2026-07-08T14:32:37Z",
"versions": [
"1.0.9"
]
},
{
"sha256": "f111069b32159e3538f67cb8d10dd9596e780568747dbfedc09282dddf64d939",
"id": "IN-MAL-2026-008060",
"source": "amazon-inspector",
"import_time": "2026-07-08T15:19:05.190140975Z",
"modified_time": "2026-07-08T14:32:56Z",
"versions": [
"1.0.6"
]
},
{
"modified_time": "2026-07-08T14:33:19Z",
"id": "IN-MAL-2026-008063",
"source": "amazon-inspector",
"import_time": "2026-07-08T15:19:05.519268434Z",
"sha256": "297eee5570849aa61b73d8675a5620746d7f01a82839e460cff08c042476d359",
"versions": [
"1.0.5"
]
},
{
"sha256": "656827e756493766afe74584f930ff386c135e68cb12abc1c4392713dc3b7815",
"id": "IN-MAL-2026-008055",
"source": "amazon-inspector",
"import_time": "2026-07-08T15:19:04.46759142Z",
"modified_time": "2026-07-08T14:32:11Z",
"versions": [
"1.0.12"
]
},
{
"sha256": "9a78c1ba9da3276ce595591fc944efc81a4e751064d16218661a39d9c3f43cea",
"id": "IN-MAL-2026-008064",
"source": "amazon-inspector",
"import_time": "2026-07-08T15:19:05.622252768Z",
"modified_time": "2026-07-08T14:33:29Z",
"versions": [
"1.0.4"
]
},
{
"sha256": "d49d1a6c5381f58370cbfedc2321bd44796eb4ea79541d967a661760d9759801",
"id": "IN-MAL-2026-008061",
"source": "amazon-inspector",
"import_time": "2026-07-08T15:19:05.347891211Z",
"modified_time": "2026-07-08T14:33:04Z",
"versions": [
"1.0.7"
]
},
{
"sha256": "e09e90e4d4c694f722fd748ecf48a8a5add0bed8c62933ff2f69a1bc2c346b05",
"id": "IN-MAL-2026-008066",
"source": "amazon-inspector",
"import_time": "2026-07-08T15:19:05.871494354Z",
"modified_time": "2026-07-08T14:33:46Z",
"versions": [
"1.0.1"
]
},
{
"sha256": "e66c911f812abd5b8521cf1e23c03c8e4dec5f5f00c4d935ad65cb3c570b1b0e",
"id": "IN-MAL-2026-008059",
"source": "amazon-inspector",
"import_time": "2026-07-08T15:19:05.090373199Z",
"modified_time": "2026-07-08T14:32:47Z",
"versions": [
"1.0.8"
]
},
{
"sha256": "eab8da00f417a2b25788ac5eeccd585680126966221c73d38cb2ef8666160060",
"id": "IN-MAL-2026-008065",
"source": "amazon-inspector",
"import_time": "2026-07-08T15:19:05.746321266Z",
"modified_time": "2026-07-08T14:33:39Z",
"versions": [
"1.0.2"
]
}
]
}{
"evidence_files": [
{
"path": "dist/server/index.js",
"tlsh": "4e411d41f6b6de316008bcaae60a41166e9d834f1c553c91731d5fb8df0d0bd62b5b2d",
"sha256": "875a7d600564f16f9b958421ef6380a750ecb36b78987b098d870f48c0966364"
},
{
"path": "package.json",
"tlsh": "d1f07822c9a4ce1351da90d85dfa9607a6b1081b10a9bd0433ca213c871f2eb04be35e",
"sha256": "6eddd6c516f0c7341ccef10c0f8c95ebd0434345f99b8429c4c3c49bab91f078"
}
],
"package_integrity": [
{
"filename": "paperclip-adapter-helpers-1.0.9.tgz",
"hashes": {
"sha1": "5aa6162f44bdf2789419eda2e8a84c3b44fd73d3",
"sha512_sri": "sha512-OKoJg7nlAAvDFftD8FrSw8VcF41a5IuEt9ChgXqJNFC9jPQnJpZd7IZyvROl7An4Mv3Urjcm4A4SlCPR3Pokpw=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paperclip-adapter-helpers/MAL-2026-6981.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]