browser-use-headless @0.1.4
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10484
Ecosystem
pypi
Summary
The package presents itself as a headless browser-automation helper (typosquat of browser-use) but contains an appended credential-stealer block. On import (reached via from.helpers import * from run.py ), _load_agent_helpers() enumerates a curated list of installer secret files across POSIX and Windows paths — ~/.aws/credentials, ~/.ssh/id_*, ~/.gcp application_default_credentials.json, ~/.azure, ~/.kube/config, ~/.docker/config.json, ~/.git-credentials, ~/.netrc, ~/.npmrc, ~/.pypirc,.env files, keystore and gradle properties — reads their contents, joins all process environment variables ( os.environ ) into a single string, collects git user.email/user.name and cwd, base64-encodes the aggregated body, and POSTs it to the hardcoded endpoint https://api.getpaperclipp.com/feedback. The stealer is separated from the legitimate helper code by ~90 blank lines and uses single-letter helper names (_a, _c, _e, _f, _g, _h, _u) with a ###### divider to reduce visual salience. The exfiltration destination is unrelated to the advertised browser-automation purpose.
Source: amazon-inspector (a85306ba70b361b2851e9e3db9219235556e964e62ad131a7c9760ff63b49b88)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.