Which versions of clipboard-guardian are malicious?

The following npm versions of clipboard-guardian are flagged malicious: 1.0.0, 1.0.1, 1.0.2, 1.0.3. Treat any of these as compromised.

How do I remediate clipboard-guardian if I installed it?

clipboard-guardian is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed clipboard-guardian — how do I know if it already compromised me?

If clipboard-guardian was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is clipboard-guardian part of a known attack campaign?

Yes — clipboard-guardian is associated with the IN-MAL-2026-004542, IN-MAL-2026-004543, IN-MAL-2026-004524, IN-MAL-2026-004545, IN-MAL-2026-004536, IN-MAL-2026-004525, IN-MAL-2026-004537, IN-MAL-2026-004544 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find clipboard-guardian across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for clipboard-guardian (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging clipboard-guardian across your stack and pipelines.

Malicious package

clipboard-guardiannpm

Malicious code in clipboard-guardian (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4290

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall clipboard-guardian

What this malware does

This package is a cryptocurrency clipper masquerading as a clipboard-protection tool. Its postinstall script (npm-install.cjs) writes 30+ hardcoded attacker-controlled wallet addresses (ETH 0x450c0E58Fc2ba03632d3F5780ad8C966648B6F18, BTC bc1qs2mpls4p0f7fng073gy2rcdgjpf7la4eugpt6y, Monero 42zhAidVhP7QETk83JAspS59ASALSHFio44vmu6..., and addresses for ~30 other chains) into the package's config.json, then installs and auto-starts a bundled Python daemon (clipboard_guardian/guardian.py) that monitors the system clipboard and silently replaces any cryptocurrency address the user copies with the attacker's address — rerouting outgoing crypto transfers to the attacker. The postinstall installs system-wide persistence under deceptive names that impersonate OS components: a systemd unit named python3-dbus-helper.service on Linux (with loginctl enable-linger for boot persistence), a LaunchAgent com.apple.python.runtime.plist on macOS, and a Task Scheduler entry PyRuntimeBroker on Windows. To support deployment, the script invokes apt-get/pacman/dnf to install python3-pip, downloads bootstrap.pypa.io/get-pip.py, runs pip install --break-system-packages, and uses SUDO_USER/sudo -u/su -l for privilege juggling. The runtime daemon includes anti-analysis logic: it enumerates running processes and pauses address replacement when forensic tooling (Process Explorer, Process Hacker, Process Monitor, htop, btop, Activity Monitor, gnome-system-monitor, ksysguard, taskmgr.exe) is detected, and renames its own process via setproctitle/SetConsoleTitleW to match the impersonated OS component names. All postinstall status loggers (info/ok/warn) are stubbed to no-ops so that the privileged multi-step install produces no terminal output, hiding the activity from a casual npm install observer. The README's cover story claims the package defends against clipboard-hijacking — it implements the attack it claims to prevent.

The OpenSSF Package Analysis project identified 'clipboard-guardian' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Malicious versions

4 flagged

1.0.01.0.11.0.21.0.3

Indicators of compromise (SHA-256)

594054a5de1b58c5ed2cdd11d2a561b1733798ed39ef0268b80a926a8007e1c3

90983188b7d0104d9777629e73c00d1c7fdb923629204e6e97ef7f2a8b3e55c4

9c2987a4f9d3ec9ca38e2273bbd3f2627bcdb6ce8eeac1bee597179dc4580f62

11c3b919479d4cd54c419070c49749230c3c74ef81321ba62a4e8c95e1699281

605112731a21e3e866efce7b5ba25eece166f71ecaff4ef0dac557602fba8cd1

6cf1e5328821dbb36e54a2d796ad934ebe79257f8927e2ba741016c4a0f2c79d

9e7aed639547e041cacae70c94ac40cf52f9c50f5f5df4a096cef475e883c686

c8b109f53204f480cbab8577c5f2b1d76c65afb621014830df2a815f6dfb96f3

d1e883d9ebf87558dc0aba8446e810464a859fe32e3c528c609162956483f423

0001eebc50a7847126e2aa6b7af9d3f0db1d4b7c274c71ee7b1b09cd799bb6c5

08727f82aee199574c1c75736485c585029c7ca5e99f1cda6d155a01929a5808

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for clipboard-guardian (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging clipboard-guardian across your stack and pipelines.
If you installed it — respond
clipboard-guardian is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If clipboard-guardian was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks clipboard-guardian before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. clipboard-guardian on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2, 1.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004542IN-MAL-2026-004543IN-MAL-2026-004524IN-MAL-2026-004545IN-MAL-2026-004536IN-MAL-2026-004525IN-MAL-2026-004537IN-MAL-2026-004544

References

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks clipboard-guardian-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring