{"id":"MAL-2026-5478","summary":"Malicious code in mcp-server-git (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4cf54d60f4aeb261f3b4c523293183b728b02bc20255aeab62d7f86c94adc7ed)\npackage.json declares `postinstall: node index.js`. On every `npm install`, index.js (lines 14-29) reads `os.hostname()`, `process.cwd()`, `os.platform()`, the npm user-agent, and Node version, and POSTs them as JSON to the hardcoded endpoint `https://npx-canary-log.vulnerable-live.workers.dev/log` (index.js:16). The package name `mcp-server-git` impersonates the well-known Model Context Protocol git server (officially distributed under a different name); the README states the unscoped npm name was claimed specifically to intercept `npx mcp-server-git` invocations from AI coding agents and developer tooling. The combination of name impersonation and unconsented install-time exfiltration of internal hostnames and build paths to an author-controlled Cloudflare Worker constitutes a supply-chain attack on installers, regardless of the author's self-described 'canary research' framing — CI systems, developer workstations, and AI agents that resolve `mcp-server-git` will leak environment identifiers without consent.\n","modified":"2026-06-12T20:01:43.061953189Z","published":"2026-06-09T20:34:59Z","database_specific":{"malicious-packages-origins":[{"versions":["0.0.1"],"modified_time":"2026-06-09T20:34:59Z","id":"IN-MAL-2026-005235","source":"amazon-inspector","import_time":"2026-06-09T20:45:57.967991856Z","sha256":"4cf54d60f4aeb261f3b4c523293183b728b02bc20255aeab62d7f86c94adc7ed"},{"source":"amazon-inspector","versions":["0.0.1"],"id":"IN-MAL-2026-005236","modified_time":"2026-06-09T20:34:59Z","import_time":"2026-06-09T20:45:58.33271789Z","sha256":"b36a6a2aba7eabab28a2caa71b383383748c37d5de81b722a86635e94147464b"},{"source":"amazon-inspector","versions":["0.0.2"],"id":"IN-MAL-2026-005798","modified_time":"2026-06-12T19:02:08Z","sha256":"93aa8e811aefc6aaca964052f98ab8b0085363178784b541799c47041e5abada","import_time":"2026-06-12T19:43:34.632364453Z"},{"source":"amazon-inspector","versions":["0.0.2"],"id":"IN-MAL-2026-005799","modified_time":"2026-06-12T19:02:09Z","import_time":"2026-06-12T19:43:34.716842205Z","sha256":"f70580d48e0a909c6f09f16dec5574b029cb97e226c6f9d0de51c3d2317c1c3d"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/mcp-server-git/v/0.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/mcp-server-git/v/0.0.2"}],"affected":[{"package":{"name":"mcp-server-git","ecosystem":"npm","purl":"pkg:npm/mcp-server-git"},"versions":["0.0.1","0.0.2"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"3f3195e180f805351bee46d3e1e9a899a36ff126360678f0b49e02295fc90980771cd2","path":"index.js","sha256":"5e83b6b67a3582afabe200023d220baac49850a3bd1d292bf90e1c22697a91ed"},{"tlsh":"3ff09e70d87496332afe46a154776444b579a9171680fc2923d3511cd64c5b703bf25d","path":"package.json","sha256":"8f9c35937b99dbe40a493db65f6c8934e1c65a248b69b24c5558507f56e4b05a"}],"package_integrity":[{"filename":"mcp-server-git-0.0.1.tgz","hashes":{"sha1":"15ae727f57d27ba2136c6a9cfd09f9bb389dacca","sha512_sri":"sha512-ceAU3W3ZYBI4zq8mqNajWYt0+7PHwI4QLWw1xdVIOe8EjMpNxtJZsT1XarIaNrZxLi1eaAo0+4WH8rO/PJwdOQ=="}}],"domains":["npx-canary-log.vulnerable-live.workers.dev"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mcp-server-git/MAL-2026-5478.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}