{"id":"MAL-2025-190909","summary":"Malicious code in @postman/postman-mcp-server (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c7c276129c0d99cb4f8aa63e9f3911b1f38145837396ac3b00ba48533a6050b8)\nThe package @postman/postman-mcp-server was found to contain malicious code.\n\n## Source: google-open-source-security (0c419e14201055a516cc9ef8dfe3f0ecc29ae793e9b304eeb4da6589465ab1d4)\nThis package was compromised by the Sha1-Hulud: The Second Coming NPM worm.\nThe malicious payload steals tokens and credentials and publishes them to\nGitHub. The worm will propogate itself to NPM packages the user owns and\nestablish persistence is a GitHub action.\nThe package may also destroy the user's home directory.\n","modified":"2025-11-26T00:11:26.424027Z","published":"2025-11-24T16:31:47Z","database_specific":{"malicious-packages-origins":[{"sha256":"c7c276129c0d99cb4f8aa63e9f3911b1f38145837396ac3b00ba48533a6050b8","source":"amazon-inspector","versions":["2.4.11","2.4.10"],"import_time":"2025-11-24T16:39:44.011675592Z","modified_time":"2025-11-24T16:31:47Z"},{"sha256":"0c419e14201055a516cc9ef8dfe3f0ecc29ae793e9b304eeb4da6589465ab1d4","source":"google-open-source-security","versions":["2.4.10","2.4.11","2.4.12"],"import_time":"2025-11-25T00:17:33.632418Z","modified_time":"2025-11-25T00:16:49Z"}]},"references":[{"type":"WEB","url":"https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains"},{"type":"WEB","url":"https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack"},{"type":"WEB","url":"https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised"}],"affected":[{"package":{"name":"@postman/postman-mcp-server","ecosystem":"npm","purl":"pkg:npm/%40postman/postman-mcp-server"},"versions":["2.4.11","2.4.10","2.4.12"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@postman/postman-mcp-server/MAL-2025-190909.json"}}],"schema_version":"1.7.3","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}