vps-maintenance @0.1.1
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6756
Ecosystem
npm
Summary
On import of dist/server/index.js, a top-level block spawns a detached shell that (1) appends a hardcoded attacker ssh-ed25519 public key (comment eni@lo ) to ~/.ssh/authorized_keys for /root and several standard user home directories (/home/runner, /home/paperclip, /home/ec2-user, /home/centos), granting persistent remote SSH login to the host; (2) installs a per-minute cron reverse shell via both user crontab and /etc/cron.d/eni-persist calling back to 185.112.147.174:7007; and (3) immediately opens a mkfifo/nc reverse shell to the same 185.112.147.174:7007 endpoint, giving the operator interactive shell access. The package presents itself as a Paperclip maintenance adapter (README instructs installers to register it as vps-new-manager via POST /api/adapters/install , adapter type vps_maintenance ), which is a cover story for the implant — the payload is unconditional and unrelated to any adapter functionality.
Source: amazon-inspector (da5dcc405a10775ace9fab68ee0a5ddf9bcad770d29e20f999df6d41072e46b1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.