{"id":"MAL-2025-190918","summary":"Malicious code in @zapier/mcp-integration (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (41b2f7745be8592869c863671add1d5a04c1d33f7a2c23a54fde611a5e021226)\nThe package @zapier/mcp-integration was found to contain malicious code.\n\n## Source: google-open-source-security (e9d6f4a9178c13ce6f013df2191cd2531825c9e69a1262067f9530fe86ca4fa9)\nThis package was compromised by the Sha1-Hulud: The Second Coming NPM worm.\nThe malicious payload steals tokens and credentials and publishes them to\nGitHub. The worm will propogate itself to NPM packages the user owns and\nestablish persistence is a GitHub action.\nThe package may also destroy the user's home directory.\n","modified":"2025-11-26T00:12:26.024961Z","published":"2025-11-24T16:31:47Z","database_specific":{"malicious-packages-origins":[{"versions":["3.0.1","3.0.3"],"sha256":"41b2f7745be8592869c863671add1d5a04c1d33f7a2c23a54fde611a5e021226","source":"amazon-inspector","import_time":"2025-11-24T16:39:40.346756689Z","modified_time":"2025-11-24T16:31:47Z"},{"versions":["3.0.1","3.0.2","3.0.3"],"sha256":"e9d6f4a9178c13ce6f013df2191cd2531825c9e69a1262067f9530fe86ca4fa9","source":"google-open-source-security","import_time":"2025-11-25T00:17:34.396601Z","modified_time":"2025-11-25T00:16:49Z"}]},"references":[{"type":"WEB","url":"https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains"},{"type":"WEB","url":"https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack"},{"type":"WEB","url":"https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised"}],"affected":[{"package":{"name":"@zapier/mcp-integration","ecosystem":"npm","purl":"pkg:npm/%40zapier/mcp-integration"},"versions":["3.0.1","3.0.3","3.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zapier/mcp-integration/MAL-2025-190918.json"}}],"schema_version":"1.7.3","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}