npm

vps-maintenance @0.1.1

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6756

Ecosystem

npm

Summary

On import of dist/server/index.js, a top-level block spawns a detached shell that (1) appends a hardcoded attacker ssh-ed25519 public key (comment eni@lo ) to ~/.ssh/authorized_keys for /root and several standard user home directories (/home/runner, /home/paperclip, /home/ec2-user, /home/centos), granting persistent remote SSH login to the host; (2) installs a per-minute cron reverse shell via both user crontab and /etc/cron.d/eni-persist calling back to 185.112.147.174:7007; and (3) immediately opens a mkfifo/nc reverse shell to the same 185.112.147.174:7007 endpoint, giving the operator interactive shell access. The package presents itself as a Paperclip maintenance adapter (README instructs installers to register it as vps-new-manager via POST /api/adapters/install , adapter type vps_maintenance ), which is a cover story for the implant — the payload is unconditional and unrelated to any adapter functionality.

Source: amazon-inspector (da5dcc405a10775ace9fab68ee0a5ddf9bcad770d29e20f999df6d41072e46b1)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.