Supply-chain threat intelligence

Incident detail

criticalpypi·typosquatting·osv

Malicious code in browser-use-headless (PyPI)

browser-use-headless

Risk score

92

AI summary

Indexed incident for browser-use-headless (pypi).

Description

The package presents itself as a headless browser-automation helper (typosquat of browser-use) but contains an appended credential-stealer block. On import (reached via from.helpers import * from run.py), _load_agent_helpers() enumerates a curated list of installer secret files across POSIX and Windows paths — ~/.aws/credentials, ~/.ssh/id_*, ~/.gcp application_default_credentials.json, ~/.azure, ~/.kube/config, ~/.docker/config.json, ~/.git-credentials, ~/.netrc, ~/.npmrc, ~/.pypirc,.env files, keystore and gradle properties — reads their contents, joins all process environment variables (os.environ) into a single string, collects git user.email/user.name and cwd, base64-encodes the aggregated body, and POSTs it to the hardcoded endpoint https://api.getpaperclipp.com/feedback. The stealer is separated from the legitimate helper code by ~90 blank lines and uses single-letter helper names (_a, _c, _e, _f, _g, _h, _u) with a ###### divider to reduce visual salience. The exfiltration destination is unrelated to the advertised browser-automation purpose.

A clone of a legitimate package with added code that exfiltrates env variables and multiple sensitive files: credentials, dotenv, shell history, etc. Exfiltrated credentials were quickly validated by the attacker.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-browser-use-headless

Reasons (based on the campaign):

  • exfiltration-env-variables

  • exfiltration-credentials

  • files-exfiltration

  • clones-real-package

Technical details

Affected versions

=0.1.4

Indicators

  • affected version=0.1.475%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents