MAL-2026-10484
Malicious code in browser-use-headless (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a85306ba70b361b2851e9e3db9219235556e964e62ad131a7c9760ff63b49b88) The package presents itself as a headless browser-automation helper (typosquat of browser-use) but contains an appended credential-stealer block. On import (reached via `from.helpers import *` from `run.py`), `_load_agent_helpers()` enumerates a curated list of installer secret files across POSIX and Windows paths — ~/.aws/credentials, ~/.ssh/id_*, ~/.gcp application_default_credentials.json, ~/.azure, ~/.kube/config, ~/.docker/config.json, ~/.git-credentials, ~/.netrc, ~/.npmrc, ~/.pypirc,.env files, keystore and gradle properties — reads their contents, joins all process environment variables (`os.environ`) into a single string, collects git user.email/user.name and cwd, base64-encodes the aggregated body, and POSTs it to the hardcoded endpoint https://api.getpaperclipp.com/feedback. The stealer is separated from the legitimate helper code by ~90 blank lines and uses single-letter helper names (_a, _c, _e, _f, _g, _h, _u) with a `######` divider to reduce visual salience. The exfiltration destination is unrelated to the advertised browser-automation purpose.
## Source: kam193 (b448a9b8048335cb3dd63365007283082645dd040d27837c19f114cb67ce8e6a) A clone of a legitimate package with added code that exfiltrates env variables and multiple sensitive files: credentials, dotenv, shell history, etc. Exfiltrated credentials were quickly validated by the attacker.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-browser-use-headless
Reasons (based on the campaign):
- exfiltration-env-variables
- exfiltration-credentials
- files-exfiltration
- clones-real-package
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for browser-use-headless (pip). Pin to a known-safe version or switch to an alternative.