MAL-2026-5476
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mcp-server-fetch/MAL-2026-5476.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/MAL-2026-5476
- Published
- 2026-06-09T20:34:54Z
- Modified
- 2026-06-12T20:01:42.766014260Z
- Summary
- Malicious code in mcp-server-fetch (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (34dfb6dc382073bace8a4d413b28000ff42770d04b9f69a88906230e2d83260a)
Package squats the unscoped name
mcp-server-fetch(an MCP server name commonly invoked vianpx mcp-server-fetchby AI coding agents and developer tooling). package.json declarespostinstall: node index.js, and index.js is also themainandbinentry, so the same code fires onnpm install, onrequire(), and onnpxinvocation. index.js line 17 hardcodesENDPOINT = 'https://npx-canary-log.vulnerable-live.workers.dev/log', and lines 22-28 POST a JSON payload containingos.hostname(),process.cwd(), the npm user-agent,process.version, andos.platform()to that endpoint. Errors are silently swallowed. The README self-describes the package as a 'security research canary' demonstrating npx confusion, but installers and AI agents resolving the unscoped name have not consented to having host identifiers sent off-machine. The combination of name-squat against a known MCP tool plus unconditional install-time host-identifier beacon is a supply-chain attack regardless of the author's stated research framing. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-06-09T20:34:54Z", "source": "amazon-inspector", "sha256": "4a64ba282db25ccfc53d1b5cb699a2cd68ec0e5124003e211f9928e96674122c", "id": "IN-MAL-2026-005234", "versions": [ "0.0.1" ], "import_time": "2026-06-09T20:45:57.814385874Z" }, { "modified_time": "2026-06-09T20:34:54Z", "source": "amazon-inspector", "sha256": "850472999c9baffe4a663fb1b8dd900ba844e8296aeb24de25864c6025af1c16", "id": "IN-MAL-2026-005233", "import_time": "2026-06-09T20:45:57.72060007Z", "versions": [ "0.0.1" ] }, { "modified_time": "2026-06-12T19:03:25Z", "source": "amazon-inspector", "sha256": "34dfb6dc382073bace8a4d413b28000ff42770d04b9f69a88906230e2d83260a", "id": "IN-MAL-2026-005857", "versions": [ "0.0.2" ], "import_time": "2026-06-12T19:43:40.777411899Z" }, { "modified_time": "2026-06-12T19:03:26Z", "source": "amazon-inspector", "sha256": "42f340668cdfdf1a11b3c69620e5da1abda0ea45813bdb1077eb38ab0ede3e43", "id": "IN-MAL-2026-005858", "versions": [ "0.0.2" ], "import_time": "2026-06-12T19:43:40.871821452Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / mcp-server-fetch
Package
- Name
- mcp-server-fetch
- View open source insights on deps.dev
- Purl
- pkg:npm/mcp-server-fetch
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mcp-server-fetch/MAL-2026-5476.json"
cwes
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"package_integrity": [
{
"filename": "mcp-server-fetch-0.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-1DF4gz5VRm7Kgu22fvL09gW5XmcDmj7vqnvLSKeWJX6A0BMnlRBEOQ/wcXDZIXWUrc54hTN6frfCOMHY6SpNWA==",
"sha1": "f90d1186f9d9c5263ef6ea6e8855889ae7660fb4"
}
}
],
"evidence_files": [
{
"sha256": "63966b152e322a3af7fe3049fe8d804ba851c101ff19577bde6e801431b30355",
"tlsh": "803195e190f805361bee46d3e2e9a899a36ff1263a1678f0b45e02291fc94980771cd2",
"path": "index.js"
}
],
"domains": [
"npx-canary-log.vulnerable-live.workers.dev"
]
}