VYPR

pypi · Malicious package advisory

Malware

browser-use-headless

MAL-2026-10484

Malicious code in browser-use-headless (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a85306ba70b361b2851e9e3db9219235556e964e62ad131a7c9760ff63b49b88)
The package presents itself as a headless browser-automation helper (typosquat of browser-use) but contains an appended credential-stealer block. On import (reached via `from.helpers import *` from `run.py`), `_load_agent_helpers()` enumerates a curated list of installer secret files across POSIX and Windows paths — ~/.aws/credentials, ~/.ssh/id_*, ~/.gcp application_default_credentials.json, ~/.azure, ~/.kube/config, ~/.docker/config.json, ~/.git-credentials, ~/.netrc, ~/.npmrc, ~/.pypirc,.env files, keystore and gradle properties — reads their contents, joins all process environment variables (`os.environ`) into a single string, collects git user.email/user.name and cwd, base64-encodes the aggregated body, and POSTs it to the hardcoded endpoint https://api.getpaperclipp.com/feedback. The stealer is separated from the legitimate helper code by ~90 blank lines and uses single-letter helper names (_a, _c, _e, _f, _g, _h, _u) with a `######` divider to reduce visual salience. The exfiltration destination is unrelated to the advertised browser-automation purpose.

## Source: kam193 (b448a9b8048335cb3dd63365007283082645dd040d27837c19f114cb67ce8e6a)
A clone of a legitimate package with added code that exfiltrates env variables and multiple sensitive files: credentials, dotenv, shell history, etc. Exfiltrated credentials were quickly validated by the attacker.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-07-browser-use-headless


Reasons (based on the campaign):


 - exfiltration-env-variables


 - exfiltration-credentials


 - files-exfiltration


 - clones-real-package

Compromised versions (1)

  • 0.1.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.