mal-2026-4290
Vulnerability from ossf_malicious_packages
Published
2026-05-24 18:38
Modified
2026-05-26 05:55
Summary
Malicious code in clipboard-guardian (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (6cf1e5328821dbb36e54a2d796ad934ebe79257f8927e2ba741016c4a0f2c79d)
This package is a cryptocurrency clipper masquerading as a clipboard-protection tool. Its postinstall script (npm-install.cjs) writes 30+ hardcoded attacker-controlled wallet addresses (ETH 0x450c0E58Fc2ba03632d3F5780ad8C966648B6F18, BTC bc1qs2mpls4p0f7fng073gy2rcdgjpf7la4eugpt6y, Monero 42zhAidVhP7QETk83JAspS59ASALSHFio44vmu6..., and addresses for ~30 other chains) into the package's config.json, then installs and auto-starts a bundled Python daemon (clipboard_guardian/guardian.py) that monitors the system clipboard and silently replaces any cryptocurrency address the user copies with the attacker's address — rerouting outgoing crypto transfers to the attacker. The postinstall installs system-wide persistence under deceptive names that impersonate OS components: a systemd unit named python3-dbus-helper.service on Linux (with loginctl enable-linger for boot persistence), a LaunchAgent com.apple.python.runtime.plist on macOS, and a Task Scheduler entry PyRuntimeBroker on Windows. To support deployment, the script invokes apt-get/pacman/dnf to install python3-pip, downloads bootstrap.pypa.io/get-pip.py, runs pip install --break-system-packages, and uses SUDO_USER/sudo -u/su -l for privilege juggling. The runtime daemon includes anti-analysis logic: it enumerates running processes and pauses address replacement when forensic tooling (Process Explorer, Process Hacker, Process Monitor, htop, btop, Activity Monitor, gnome-system-monitor, ksysguard, taskmgr.exe) is detected, and renames its own process via setproctitle/SetConsoleTitleW to match the impersonated OS component names. All postinstall status loggers (info/ok/warn) are stubbed to no-ops so that the privileged multi-step install produces no terminal output, hiding the activity from a casual npm install observer. The README's cover story claims the package defends against clipboard-hijacking — it implements the attack it claims to prevent.
Source: ossf-package-analysis (594054a5de1b58c5ed2cdd11d2a561b1733798ed39ef0268b80a926a8007e1c3)
The OpenSSF Package Analysis project identified 'clipboard-guardian' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
CWE
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"domains": [
"bootstrap.pypa.io"
],
"evidence_files": [
{
"path": "clipboard_guardian/guardian.py",
"sha256": "ac5aca37664b0a0081f13279fc31e58bfd359b7a7564697c362bac590ea2c8fd",
"tlsh": "95627404e969dc2283c2645a0c92c4a276b46fa76d14646c7fbec13c8f5e13fb0f926d"
},
{
"path": "package.json",
"sha256": "e8ed9aa3bb71b98ddf906eb0e7664eacc93c1e1d5a75835ee61ca1f392fa648b",
"tlsh": "c4f08b06c5341f2fb1c8a68d1edb6509b4280d8baa143d2daa83584c0bad53504bf7f9"
},
{
"path": "npm-install.cjs",
"sha256": "e58f6237705a40295bd3ed2a09ef9da7858d4101e3d987c1fbc596aa1c14b04e",
"tlsh": "4642189692b1667c99f3a66ea687502b01198d1f3501f89cf5ae90dc0f0f139837b73e"
}
],
"package_integrity": [
{
"filename": "clipboard-guardian-1.0.2.tgz",
"hashes": {
"sha1": "6c75473cf57c2307747e138697133f75ed8a7c96",
"sha512_sri": "sha512-ejWz695joojg8jpOBrwmYsLPku0mUg0scYnOoJD/C1afo2IMhgmx+bkVVqjKPsyUK9oihX+ekaDTR4qen27HZg=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "clipboard-guardian"
},
"versions": [
"1.0.0",
"1.0.1",
"1.0.2",
"1.0.3"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
},
{
"contact": [
"https://github.com/ossf/package-analysis",
"https://openssf.slack.com/channels/package_analysis"
],
"name": "OpenSSF: Package Analysis",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"import_time": "2026-05-24T21:49:24.4733663Z",
"modified_time": "2026-05-24T19:22:33Z",
"sha256": "594054a5de1b58c5ed2cdd11d2a561b1733798ed39ef0268b80a926a8007e1c3",
"source": "ossf-package-analysis",
"versions": [
"1.0.0"
]
},
{
"import_time": "2026-05-24T21:49:24.716073482Z",
"modified_time": "2026-05-24T19:27:24Z",
"sha256": "90983188b7d0104d9777629e73c00d1c7fdb923629204e6e97ef7f2a8b3e55c4",
"source": "ossf-package-analysis",
"versions": [
"1.0.1"
]
},
{
"import_time": "2026-05-24T21:49:24.997532419Z",
"modified_time": "2026-05-24T20:07:32Z",
"sha256": "9c2987a4f9d3ec9ca38e2273bbd3f2627bcdb6ce8eeac1bee597179dc4580f62",
"source": "ossf-package-analysis",
"versions": [
"1.0.2"
]
},
{
"id": "IN-MAL-2026-004542",
"import_time": "2026-05-26T05:52:48.384586232Z",
"modified_time": "2026-05-24T20:03:58Z",
"sha256": "11c3b919479d4cd54c419070c49749230c3c74ef81321ba62a4e8c95e1699281",
"source": "amazon-inspector",
"versions": [
"1.0.2"
]
},
{
"id": "IN-MAL-2026-004543",
"import_time": "2026-05-26T05:52:48.481861691Z",
"modified_time": "2026-05-24T20:03:59Z",
"sha256": "605112731a21e3e866efce7b5ba25eece166f71ecaff4ef0dac557602fba8cd1",
"source": "amazon-inspector",
"versions": [
"1.0.2"
]
},
{
"id": "IN-MAL-2026-004524",
"import_time": "2026-05-26T05:52:46.445131525Z",
"modified_time": "2026-05-24T18:38:12Z",
"sha256": "6cf1e5328821dbb36e54a2d796ad934ebe79257f8927e2ba741016c4a0f2c79d",
"source": "amazon-inspector",
"versions": [
"1.0.0"
]
},
{
"id": "IN-MAL-2026-004545",
"import_time": "2026-05-26T05:52:48.69498734Z",
"modified_time": "2026-05-24T20:04:03Z",
"sha256": "9e7aed639547e041cacae70c94ac40cf52f9c50f5f5df4a096cef475e883c686",
"source": "amazon-inspector",
"versions": [
"1.0.3"
]
},
{
"id": "IN-MAL-2026-004536",
"import_time": "2026-05-26T05:52:47.755408093Z",
"modified_time": "2026-05-24T19:22:52Z",
"sha256": "c8b109f53204f480cbab8577c5f2b1d76c65afb621014830df2a815f6dfb96f3",
"source": "amazon-inspector",
"versions": [
"1.0.1"
]
},
{
"id": "IN-MAL-2026-004525",
"import_time": "2026-05-26T05:52:46.538588391Z",
"modified_time": "2026-05-24T18:38:12Z",
"sha256": "d1e883d9ebf87558dc0aba8446e810464a859fe32e3c528c609162956483f423",
"source": "amazon-inspector",
"versions": [
"1.0.0"
]
},
{
"id": "IN-MAL-2026-004537",
"import_time": "2026-05-26T05:52:47.866031383Z",
"modified_time": "2026-05-24T19:22:52Z",
"sha256": "0001eebc50a7847126e2aa6b7af9d3f0db1d4b7c274c71ee7b1b09cd799bb6c5",
"source": "amazon-inspector",
"versions": [
"1.0.1"
]
},
{
"id": "IN-MAL-2026-004544",
"import_time": "2026-05-26T05:52:48.579426711Z",
"modified_time": "2026-05-24T20:04:03Z",
"sha256": "08727f82aee199574c1c75736485c585029c7ca5e99f1cda6d155a01929a5808",
"source": "amazon-inspector",
"versions": [
"1.0.3"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6cf1e5328821dbb36e54a2d796ad934ebe79257f8927e2ba741016c4a0f2c79d)\nThis package is a cryptocurrency clipper masquerading as a clipboard-protection tool. Its postinstall script (npm-install.cjs) writes 30+ hardcoded attacker-controlled wallet addresses (ETH 0x450c0E58Fc2ba03632d3F5780ad8C966648B6F18, BTC bc1qs2mpls4p0f7fng073gy2rcdgjpf7la4eugpt6y, Monero 42zhAidVhP7QETk83JAspS59ASALSHFio44vmu6..., and addresses for ~30 other chains) into the package\u0027s config.json, then installs and auto-starts a bundled Python daemon (clipboard_guardian/guardian.py) that monitors the system clipboard and silently replaces any cryptocurrency address the user copies with the attacker\u0027s address \u2014 rerouting outgoing crypto transfers to the attacker. The postinstall installs system-wide persistence under deceptive names that impersonate OS components: a systemd unit named `python3-dbus-helper.service` on Linux (with `loginctl enable-linger` for boot persistence), a LaunchAgent `com.apple.python.runtime.plist` on macOS, and a Task Scheduler entry `PyRuntimeBroker` on Windows. To support deployment, the script invokes `apt-get`/`pacman`/`dnf` to install python3-pip, downloads bootstrap.pypa.io/get-pip.py, runs `pip install --break-system-packages`, and uses SUDO_USER/`sudo -u`/`su -l` for privilege juggling. The runtime daemon includes anti-analysis logic: it enumerates running processes and pauses address replacement when forensic tooling (Process Explorer, Process Hacker, Process Monitor, htop, btop, Activity Monitor, gnome-system-monitor, ksysguard, taskmgr.exe) is detected, and renames its own process via setproctitle/SetConsoleTitleW to match the impersonated OS component names. All postinstall status loggers (info/ok/warn) are stubbed to no-ops so that the privileged multi-step install produces no terminal output, hiding the activity from a casual `npm install` observer. The README\u0027s cover story claims the package defends against clipboard-hijacking \u2014 it implements the attack it claims to prevent.\n\n## Source: ossf-package-analysis (594054a5de1b58c5ed2cdd11d2a561b1733798ed39ef0268b80a926a8007e1c3)\nThe OpenSSF Package Analysis project identified \u0027clipboard-guardian\u0027 @ 1.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n",
"id": "MAL-2026-4290",
"modified": "2026-05-26T05:55:02Z",
"published": "2026-05-24T18:38:12Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/clipboard-guardian/v/1.0.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/clipboard-guardian/v/1.0.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/clipboard-guardian/v/1.0.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/clipboard-guardian/v/1.0.3"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in clipboard-guardian (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…