registry  /  paperclip2  /  1.0.0

paperclip2@1.0.0

OSV Malicious Advisory

scanned 1d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6755 confirms this npm version as malicious. package.json declares a postinstall lifecycle script that runs `node -e` code opening a TCP connection to 185.112.147.174:7007 and piping the socket to a spawned /bin/sh, giving the operator of that endpoint an interactive shell on the installer's machine. The package ships no other functionality — its sole effect on install is to establish this reverse shell...

Advisory
MAL-2026-6755
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in paperclip2 (npm)
Details
package.json declares a postinstall lifecycle script that runs `node -e` code opening a TCP connection to 185.112.147.174:7007 and piping the socket to a spawned /bin/sh, giving the operator of that endpoint an interactive shell on the installer's machine. The package ships no other functionality — its sole effect on install is to establish this reverse shell. Any developer workstation or CI job running `npm install paperclip2` is compromised with arbitrary code execution as the invoking user.
Decision reason
OpenSSF Malicious Packages via OSV confirms paperclip2@1.0.0 as malicious (MAL-2026-6755): Malicious code in paperclip2 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory