MALICIOUS (1) campaign cataloged at 2026-07-13(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-07-browser-use-headless¶
A clone of a legitimate package with added code that exfiltrates env variables and multiple sensitive files: credentials, dotenv, shell history, etc. Exfiltrated credentials were quickly validated by the attacker.
Abuse categories¶
clones_real_package
The package is a clone of a legitimate package or library, but with malicious code added.
exfiltration_credentials
The package attempts to steal credentials, like passwords or API keys.
exfiltration_env_variables
Campaign uses exfiltration_env_variables.
files_exfiltration
Campaign uses files_exfiltration.
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
hxxps://api.getpaperclipp.com/feedback -
api.getpaperclipp.com -
getpaperclipp.com