The OX Research team found a malicious npm package called paperclip2. It contains only a package.json file. No JavaScript.
A one-liner inside its postinstall script spawns a reverse shell. The absence of any JavaScript files appears designed to evade malware scanners that look for executable code rather than configuration files.
Two related packages use the same reverse shell one-liner in their postinstall scripts:
vps-maintenance
vps-maintenance-paperclip-adapter
Combined, the three packages have been downloaded 1,049 times per week.
Immediate Actions:
Remove the affected packages
Manually inspect and delete any entries referencing these packages in package lock files and package.json files
Check for unknown and suspicious processes using port 7007 and kill the underlying process
The malware consists only of a package.json file, which contains an embedded postinstall script one-liner:
The malware connects to 185[.]112[.]147[.]174 on port 7007, and spawns a reverse shell.
Package name
Affected versions
paperclip2
Any
vps-maintenance
Any
vps-maintenance-paperclip-adapter
Any
The post Malware Detected: Reverse Shell Without JavaScript Files in npm appeared first on OX Security.