{"id":"MAL-2026-5476","summary":"Malicious code in mcp-server-fetch (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (34dfb6dc382073bace8a4d413b28000ff42770d04b9f69a88906230e2d83260a)\nPackage squats the unscoped name `mcp-server-fetch` (an MCP server name commonly invoked via `npx mcp-server-fetch` by AI coding agents and developer tooling). package.json declares `postinstall: node index.js`, and index.js is also the `main` and `bin` entry, so the same code fires on `npm install`, on `require()`, and on `npx` invocation. index.js line 17 hardcodes `ENDPOINT = 'https://npx-canary-log.vulnerable-live.workers.dev/log'`, and lines 22-28 POST a JSON payload containing `os.hostname()`, `process.cwd()`, the npm user-agent, `process.version`, and `os.platform()` to that endpoint. Errors are silently swallowed. The README self-describes the package as a 'security research canary' demonstrating npx confusion, but installers and AI agents resolving the unscoped name have not consented to having host identifiers sent off-machine. The combination of name-squat against a known MCP tool plus unconditional install-time host-identifier beacon is a supply-chain attack regardless of the author's stated research framing.\n","modified":"2026-06-12T20:01:42.766014260Z","published":"2026-06-09T20:34:54Z","database_specific":{"malicious-packages-origins":[{"sha256":"4a64ba282db25ccfc53d1b5cb699a2cd68ec0e5124003e211f9928e96674122c","source":"amazon-inspector","modified_time":"2026-06-09T20:34:54Z","id":"IN-MAL-2026-005234","versions":["0.0.1"],"import_time":"2026-06-09T20:45:57.814385874Z"},{"sha256":"850472999c9baffe4a663fb1b8dd900ba844e8296aeb24de25864c6025af1c16","source":"amazon-inspector","modified_time":"2026-06-09T20:34:54Z","versions":["0.0.1"],"id":"IN-MAL-2026-005233","import_time":"2026-06-09T20:45:57.72060007Z"},{"sha256":"34dfb6dc382073bace8a4d413b28000ff42770d04b9f69a88906230e2d83260a","source":"amazon-inspector","modified_time":"2026-06-12T19:03:25Z","id":"IN-MAL-2026-005857","versions":["0.0.2"],"import_time":"2026-06-12T19:43:40.777411899Z"},{"sha256":"42f340668cdfdf1a11b3c69620e5da1abda0ea45813bdb1077eb38ab0ede3e43","source":"amazon-inspector","modified_time":"2026-06-12T19:03:26Z","versions":["0.0.2"],"id":"IN-MAL-2026-005858","import_time":"2026-06-12T19:43:40.871821452Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/mcp-server-fetch/v/0.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/mcp-server-fetch/v/0.0.2"}],"affected":[{"package":{"name":"mcp-server-fetch","ecosystem":"npm","purl":"pkg:npm/mcp-server-fetch"},"versions":["0.0.1","0.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mcp-server-fetch/MAL-2026-5476.json","indicators":{"domains":["npx-canary-log.vulnerable-live.workers.dev"],"evidence_files":[{"sha256":"63966b152e322a3af7fe3049fe8d804ba851c101ff19577bde6e801431b30355","path":"index.js","tlsh":"803195e190f805361bee46d3e2e9a899a36ff1263a1678f0b45e02291fc94980771cd2"}],"package_integrity":[{"filename":"mcp-server-fetch-0.0.1.tgz","hashes":{"sha1":"f90d1186f9d9c5263ef6ea6e8855889ae7660fb4","sha512_sri":"sha512-1DF4gz5VRm7Kgu22fvL09gW5XmcDmj7vqnvLSKeWJX6A0BMnlRBEOQ/wcXDZIXWUrc54hTN6frfCOMHY6SpNWA=="}}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}