MAL-2026-6981

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paperclip-adapter-helpers/MAL-2026-6981.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6981
Published
2026-07-08T14:32:11Z
Modified
2026-07-08T15:31:45.894014705Z
Summary
Malicious code in paperclip-adapter-helpers (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d49d1a6c5381f58370cbfedc2321bd44796eb4ea79541d967a661760d9759801)

paperclip-adapter-helpers@1.0.7 executes a credential-theft and C2 backdoor automatically on import. The package's main re-exports dist/server/index.js, whose top-level code spawns a detached shell (spawn("sh", ["-c",...], { detached: true, stdio: "ignore" })) that reads a fixed list of installer-owned secret files — ~/.aws/credentials, ~/.ssh/idrsa and ided25519, ~/.ssh/known_hosts, ~/.kube/config, ~/.docker/config.json, gcloud application-default credentials, Terraform credentials, ~/.azure, ~/.netrc, ~/.git-credentials, plus repository package.json/lockfiles and process environment variables — and POSTs the collected data in cleartext to http://185.112.147.174:7007/out. It then enters a polling loop against http://185.112.147.174:7007/cmd, executing each returned command via sh -c and re-POSTing the output, giving the operator of that endpoint arbitrary unauthenticated shell access on the installer's machine. The package.json name ('paperclip-adapter-helpers') and README ('vps-new-manager') do not match, and the advertised Paperclip-adapter purpose does not match the shipped behavior — a cover-story pattern.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "0ce6f14cf8d68ef09f32f7a6e6f48c28014bf1b58625a6cbc212c8054b9bc6b4",
            "id": "IN-MAL-2026-008058",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T15:19:04.973427814Z",
            "modified_time": "2026-07-08T14:32:37Z",
            "versions": [
                "1.0.9"
            ]
        },
        {
            "sha256": "f111069b32159e3538f67cb8d10dd9596e780568747dbfedc09282dddf64d939",
            "id": "IN-MAL-2026-008060",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T15:19:05.190140975Z",
            "modified_time": "2026-07-08T14:32:56Z",
            "versions": [
                "1.0.6"
            ]
        },
        {
            "modified_time": "2026-07-08T14:33:19Z",
            "id": "IN-MAL-2026-008063",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T15:19:05.519268434Z",
            "sha256": "297eee5570849aa61b73d8675a5620746d7f01a82839e460cff08c042476d359",
            "versions": [
                "1.0.5"
            ]
        },
        {
            "sha256": "656827e756493766afe74584f930ff386c135e68cb12abc1c4392713dc3b7815",
            "id": "IN-MAL-2026-008055",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T15:19:04.46759142Z",
            "modified_time": "2026-07-08T14:32:11Z",
            "versions": [
                "1.0.12"
            ]
        },
        {
            "sha256": "9a78c1ba9da3276ce595591fc944efc81a4e751064d16218661a39d9c3f43cea",
            "id": "IN-MAL-2026-008064",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T15:19:05.622252768Z",
            "modified_time": "2026-07-08T14:33:29Z",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "sha256": "d49d1a6c5381f58370cbfedc2321bd44796eb4ea79541d967a661760d9759801",
            "id": "IN-MAL-2026-008061",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T15:19:05.347891211Z",
            "modified_time": "2026-07-08T14:33:04Z",
            "versions": [
                "1.0.7"
            ]
        },
        {
            "sha256": "e09e90e4d4c694f722fd748ecf48a8a5add0bed8c62933ff2f69a1bc2c346b05",
            "id": "IN-MAL-2026-008066",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T15:19:05.871494354Z",
            "modified_time": "2026-07-08T14:33:46Z",
            "versions": [
                "1.0.1"
            ]
        },
        {
            "sha256": "e66c911f812abd5b8521cf1e23c03c8e4dec5f5f00c4d935ad65cb3c570b1b0e",
            "id": "IN-MAL-2026-008059",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T15:19:05.090373199Z",
            "modified_time": "2026-07-08T14:32:47Z",
            "versions": [
                "1.0.8"
            ]
        },
        {
            "sha256": "eab8da00f417a2b25788ac5eeccd585680126966221c73d38cb2ef8666160060",
            "id": "IN-MAL-2026-008065",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T15:19:05.746321266Z",
            "modified_time": "2026-07-08T14:33:39Z",
            "versions": [
                "1.0.2"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / paperclip-adapter-helpers

Package

Name
paperclip-adapter-helpers
View open source insights on deps.dev
Purl
pkg:npm/paperclip-adapter-helpers

Affected ranges

Affected versions

1.*
1.0.1
1.0.2
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.12

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "dist/server/index.js",
            "tlsh": "4e411d41f6b6de316008bcaae60a41166e9d834f1c553c91731d5fb8df0d0bd62b5b2d",
            "sha256": "875a7d600564f16f9b958421ef6380a750ecb36b78987b098d870f48c0966364"
        },
        {
            "path": "package.json",
            "tlsh": "d1f07822c9a4ce1351da90d85dfa9607a6b1081b10a9bd0433ca213c871f2eb04be35e",
            "sha256": "6eddd6c516f0c7341ccef10c0f8c95ebd0434345f99b8429c4c3c49bab91f078"
        }
    ],
    "package_integrity": [
        {
            "filename": "paperclip-adapter-helpers-1.0.9.tgz",
            "hashes": {
                "sha1": "5aa6162f44bdf2789419eda2e8a84c3b44fd73d3",
                "sha512_sri": "sha512-OKoJg7nlAAvDFftD8FrSw8VcF41a5IuEt9ChgXqJNFC9jPQnJpZd7IZyvROl7An4Mv3Urjcm4A4SlCPR3Pokpw=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paperclip-adapter-helpers/MAL-2026-6981.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]