{"id":"MAL-2026-5480","summary":"Malicious code in mcp-server-notion (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0423928197ec83ac273fa4a1b66d9e75398b956e7d5027014ff6326c552a46c2)\nPackage occupies the unscoped name `mcp-server-notion` to catch misrouted installs of the scoped MCP Notion server. `package.json` declares `\"postinstall\": \"node index.js\"`, and `index.js` reads `os.hostname()`, `process.cwd()`, `process.env.npm_config_user_agent`, the Node version, and `os.platform()`, then POSTs them to `https://npx-canary-log.vulnerable-live.workers.dev/log`. The transmission fires automatically on `npm install` with no consent prompt or opt-in. The author self-describes the package as a security-research \"canary,\" but the resulting behavior — squatting a confusable name and silently shipping installer host identifiers to a third-party Cloudflare Workers endpoint — is indistinguishable from a typosquat-and-beacon supply-chain attack, and the installer is not the consenting party.\n","modified":"2026-06-12T20:01:43.467704938Z","published":"2026-06-09T20:34:01Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T20:45:56.356645589Z","id":"IN-MAL-2026-005223","versions":["0.0.1"],"source":"amazon-inspector","modified_time":"2026-06-09T20:34:01Z","sha256":"0423928197ec83ac273fa4a1b66d9e75398b956e7d5027014ff6326c552a46c2"},{"modified_time":"2026-06-09T20:34:01Z","source":"amazon-inspector","versions":["0.0.1"],"id":"IN-MAL-2026-005224","import_time":"2026-06-09T20:45:56.492174225Z","sha256":"275fa8cabb1dbe9b27616a42616c7b9eee8c76e6841677f1ce27a6e317e811fe"},{"import_time":"2026-06-12T19:43:36.342874597Z","source":"amazon-inspector","versions":["0.0.2"],"modified_time":"2026-06-12T19:02:35Z","id":"IN-MAL-2026-005816","sha256":"1550bd2024c28fe1b717099c47bc56e638974568084904916d7deb02a15ed509"},{"import_time":"2026-06-12T19:43:36.440996243Z","source":"amazon-inspector","versions":["0.0.2"],"modified_time":"2026-06-12T19:02:35Z","id":"IN-MAL-2026-005817","sha256":"aaeddc875e4decaef363c687df30846c0fb582acd1279d6064510d4fc0141b2c"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/mcp-server-notion/v/0.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/mcp-server-notion/v/0.0.2"}],"affected":[{"package":{"name":"mcp-server-notion","ecosystem":"npm","purl":"pkg:npm/mcp-server-notion"},"versions":["0.0.1","0.0.2"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mcp-server-notion/MAL-2026-5480.json","indicators":{"package_integrity":[{"filename":"mcp-server-notion-0.0.1.tgz","hashes":{"sha512_sri":"sha512-zYVB4mPUBmYXgB5ih9AQguSXU88kUKAyGBWD5A4Jxo2LHe0LB8cDLSwtwCYjmgT09koMEOfhzvLztDoKBrwSDQ==","sha1":"5046887764ba0238288787a2b5d73e2dcabeee8a"}}],"evidence_files":[{"tlsh":"303195e190f805351bee46d3e2e9a899a36ff126360678f0b45e02691fc90980771cd2","path":"index.js","sha256":"19b99229d1e68fb0aea2a14f275a7928666838f0fdbde293d5cdeb18c3e58c9a"},{"tlsh":"1021a32793c1623903d34a363944b6726b3b70b6334210b0f6dd455fea4282983734e6","path":"README.md","sha256":"d11d537f6aefd2f34a00ec552205f365020a5fea1e2db9d94365644cef580db5"}],"domains":["npx-canary-log.vulnerable-live.workers.dev"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}