{"id":"MAL-2026-6981","summary":"Malicious code in paperclip-adapter-helpers (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d49d1a6c5381f58370cbfedc2321bd44796eb4ea79541d967a661760d9759801)\npaperclip-adapter-helpers@1.0.7 executes a credential-theft and C2 backdoor automatically on import. The package's main re-exports dist/server/index.js, whose top-level code spawns a detached shell (spawn(\"sh\", [\"-c\",...], { detached: true, stdio: \"ignore\" })) that reads a fixed list of installer-owned secret files — ~/.aws/credentials, ~/.ssh/id_rsa and id_ed25519, ~/.ssh/known_hosts, ~/.kube/config, ~/.docker/config.json, gcloud application-default credentials, Terraform credentials, ~/.azure, ~/.netrc, ~/.git-credentials, plus repository package.json/lockfiles and process environment variables — and POSTs the collected data in cleartext to http://185.112.147.174:7007/out. It then enters a polling loop against http://185.112.147.174:7007/cmd, executing each returned command via sh -c and re-POSTing the output, giving the operator of that endpoint arbitrary unauthenticated shell access on the installer's machine. The package.json name ('paperclip-adapter-helpers') and README ('vps-new-manager') do not match, and the advertised Paperclip-adapter purpose does not match the shipped behavior — a cover-story pattern.\n","modified":"2026-07-09T16:31:59.957431638Z","published":"2026-07-08T14:32:11Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.9"],"source":"amazon-inspector","modified_time":"2026-07-08T14:32:37Z","id":"IN-MAL-2026-008058","import_time":"2026-07-08T15:19:04.973427814Z","sha256":"0ce6f14cf8d68ef09f32f7a6e6f48c28014bf1b58625a6cbc212c8054b9bc6b4"},{"sha256":"f111069b32159e3538f67cb8d10dd9596e780568747dbfedc09282dddf64d939","source":"amazon-inspector","versions":["1.0.6"],"modified_time":"2026-07-08T14:32:56Z","import_time":"2026-07-08T15:19:05.190140975Z","id":"IN-MAL-2026-008060"},{"versions":["1.0.5"],"source":"amazon-inspector","modified_time":"2026-07-08T14:33:19Z","id":"IN-MAL-2026-008063","import_time":"2026-07-08T15:19:05.519268434Z","sha256":"297eee5570849aa61b73d8675a5620746d7f01a82839e460cff08c042476d359"},{"versions":["1.0.12"],"source":"amazon-inspector","modified_time":"2026-07-08T14:32:11Z","id":"IN-MAL-2026-008055","import_time":"2026-07-08T15:19:04.46759142Z","sha256":"656827e756493766afe74584f930ff386c135e68cb12abc1c4392713dc3b7815"},{"import_time":"2026-07-08T15:19:05.622252768Z","source":"amazon-inspector","sha256":"9a78c1ba9da3276ce595591fc944efc81a4e751064d16218661a39d9c3f43cea","versions":["1.0.4"],"modified_time":"2026-07-08T14:33:29Z","id":"IN-MAL-2026-008064"},{"versions":["1.0.7"],"source":"amazon-inspector","modified_time":"2026-07-08T14:33:04Z","id":"IN-MAL-2026-008061","import_time":"2026-07-08T15:19:05.347891211Z","sha256":"d49d1a6c5381f58370cbfedc2321bd44796eb4ea79541d967a661760d9759801"},{"sha256":"e09e90e4d4c694f722fd748ecf48a8a5add0bed8c62933ff2f69a1bc2c346b05","source":"amazon-inspector","versions":["1.0.1"],"modified_time":"2026-07-08T14:33:46Z","import_time":"2026-07-08T15:19:05.871494354Z","id":"IN-MAL-2026-008066"},{"versions":["1.0.8"],"source":"amazon-inspector","modified_time":"2026-07-08T14:32:47Z","id":"IN-MAL-2026-008059","import_time":"2026-07-08T15:19:05.090373199Z","sha256":"e66c911f812abd5b8521cf1e23c03c8e4dec5f5f00c4d935ad65cb3c570b1b0e"},{"id":"IN-MAL-2026-008065","source":"amazon-inspector","import_time":"2026-07-08T15:19:05.746321266Z","versions":["1.0.2"],"modified_time":"2026-07-08T14:33:39Z","sha256":"eab8da00f417a2b25788ac5eeccd585680126966221c73d38cb2ef8666160060"},{"import_time":"2026-07-09T16:20:56.58997935Z","source":"amazon-inspector","sha256":"da65edb1d416a90cfc4f15da2abc0ea76dc978cafd846c9771c8a8255022d1cb","versions":["1.0.11"],"modified_time":"2026-07-09T15:53:48Z","id":"IN-MAL-2026-009275"},{"sha256":"f5bb6c8ffe5bec1bd9d490a3f92fa4d281098f737b481944f54b2daf96c5e70c","source":"amazon-inspector","versions":["1.0.10"],"modified_time":"2026-07-09T15:53:35Z","import_time":"2026-07-09T16:20:56.488368819Z","id":"IN-MAL-2026-009273"},{"modified_time":"2026-07-09T15:53:56Z","source":"amazon-inspector","id":"IN-MAL-2026-009276","import_time":"2026-07-09T16:20:56.751028967Z","versions":["1.0.3"],"sha256":"b35ccc1e78bddc20626eba4216900d10d6a804d5da18237e138c581d98a2e22f"},{"import_time":"2026-07-09T16:20:56.814123892Z","source":"amazon-inspector","sha256":"c3b54076f729a3fc5b8b36ac2400823bac62d880a3e6e1a5d5bbac1e9a11f4bd","versions":["1.0.0"],"modified_time":"2026-07-09T15:54:06Z","id":"IN-MAL-2026-009277"},{"modified_time":"2026-07-09T15:53:41Z","source":"amazon-inspector","id":"IN-MAL-2026-009274","import_time":"2026-07-09T16:20:56.540916808Z","versions":["1.0.13"],"sha256":"d5a0c0bc0b8b1fa46c22b238dcbc9786fd019f494c5717b498e06641c06bba3f"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.12"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/paperclip-adapter-helpers/v/1.0.13"}],"affected":[{"package":{"name":"paperclip-adapter-helpers","ecosystem":"npm","purl":"pkg:npm/paperclip-adapter-helpers"},"versions":["1.0.9","1.0.6","1.0.5","1.0.12","1.0.4","1.0.7","1.0.1","1.0.8","1.0.2","1.0.11","1.0.10","1.0.3","1.0.0","1.0.13"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"4e411d41f6b6de316008bcaae60a41166e9d834f1c553c91731d5fb8df0d0bd62b5b2d","path":"dist/server/index.js","sha256":"875a7d600564f16f9b958421ef6380a750ecb36b78987b098d870f48c0966364"},{"tlsh":"d1f07822c9a4ce1351da90d85dfa9607a6b1081b10a9bd0433ca213c871f2eb04be35e","sha256":"6eddd6c516f0c7341ccef10c0f8c95ebd0434345f99b8429c4c3c49bab91f078","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-OKoJg7nlAAvDFftD8FrSw8VcF41a5IuEt9ChgXqJNFC9jPQnJpZd7IZyvROl7An4Mv3Urjcm4A4SlCPR3Pokpw==","sha1":"5aa6162f44bdf2789419eda2e8a84c3b44fd73d3"},"filename":"paperclip-adapter-helpers-1.0.9.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paperclip-adapter-helpers/MAL-2026-6981.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}