pypi · Malicious package advisory
Malwarebrowser-use-headless
MAL-2026-10484
Malicious code in browser-use-headless (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (a85306ba70b361b2851e9e3db9219235556e964e62ad131a7c9760ff63b49b88) The package presents itself as a headless browser-automation helper (typosquat of browser-use) but contains an appended credential-stealer block. On import (reached via `from.helpers import *` from `run.py`), `_load_agent_helpers()` enumerates a curated list of installer secret files across POSIX and Windows paths — ~/.aws/credentials, ~/.ssh/id_*, ~/.gcp application_default_credentials.json, ~/.azure, ~/.kube/config, ~/.docker/config.json, ~/.git-credentials, ~/.netrc, ~/.npmrc, ~/.pypirc,.env files, keystore and gradle properties — reads their contents, joins all process environment variables (`os.environ`) into a single string, collects git user.email/user.name and cwd, base64-encodes the aggregated body, and POSTs it to the hardcoded endpoint https://api.getpaperclipp.com/feedback. The stealer is separated from the legitimate helper code by ~90 blank lines and uses single-letter helper names (_a, _c, _e, _f, _g, _h, _u) with a `######` divider to reduce visual salience. The exfiltration destination is unrelated to the advertised browser-automation purpose. ## Source: kam193 (b448a9b8048335cb3dd63365007283082645dd040d27837c19f114cb67ce8e6a) A clone of a legitimate package with added code that exfiltrates env variables and multiple sensitive files: credentials, dotenv, shell history, etc. Exfiltrated credentials were quickly validated by the attacker. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-07-browser-use-headless Reasons (based on the campaign): - exfiltration-env-variables - exfiltration-credentials - files-exfiltration - clones-real-package
Compromised versions (1)
- 0.1.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.