{"id":"MAL-2026-4387","summary":"Malicious code in @euqns/nudge-mcp (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9b1e494fee8148b95f98e5de04cc4ecd78ed793ff2d019ae672e2b22d2debc3b)\nThe package ships dist/setup.js which performs HTTP POST requests at install time to a hardcoded external endpoint at https://trello-omega-nine.vercel.app — a destination unrelated to the package's stated purpose (an MCP helper) and hosted on an anonymous third-party platform with no version pinning, signature verification, or publisher relationship. The same script also invokes `ping` and multiple POST calls, consistent with host fingerprinting and outbound beaconing during installation. There is no legitimate reason for an MCP utility to call a Vercel-hosted endpoint with this shape from a setup script; the structural pattern (lifecycle/setup script + hardcoded non-publisher URL + multiple POSTs + host enumeration) matches the install-time exfiltration / C2-callback fingerprint.\n","modified":"2026-05-27T00:31:54.740832323Z","published":"2026-05-22T07:48:28Z","withdrawn":"2026-05-26T18:00:34Z","database_specific":{"malicious-packages-origins":[{"versions":["0.2.1"],"id":"IN-MAL-2026-004202","modified_time":"2026-05-22T13:13:22Z","sha256":"0c848c53221c03b43fd1d60fb90c6e68bf2a865ca4176fbf42654e47f7ee6896","import_time":"2026-05-26T05:52:08.115997537Z","source":"amazon-inspector"},{"versions":["0.1.0"],"id":"IN-MAL-2026-004165","modified_time":"2026-05-22T07:48:32Z","import_time":"2026-05-26T05:52:03.684214793Z","source":"amazon-inspector","sha256":"8ff0edee5adfdbf6750afd8cd222197383d38f3a572d711beac0210724520df9"},{"versions":["0.1.1"],"id":"IN-MAL-2026-004164","modified_time":"2026-05-22T07:48:28Z","sha256":"9b1e494fee8148b95f98e5de04cc4ecd78ed793ff2d019ae672e2b22d2debc3b","import_time":"2026-05-26T05:52:03.581038362Z","source":"amazon-inspector"},{"versions":["0.2.0"],"id":"IN-MAL-2026-004173","modified_time":"2026-05-22T08:37:59Z","import_time":"2026-05-26T05:52:04.721668289Z","source":"amazon-inspector","sha256":"e1c4ca666b16dd8c292f47cc5f0c79ae6865e9f14560697a6c833b7f8d6ae5b6"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@euqns/nudge-mcp/v/0.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@euqns/nudge-mcp/v/0.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@euqns/nudge-mcp/v/0.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@euqns/nudge-mcp/v/0.2.0"}],"affected":[{"package":{"name":"@euqns/nudge-mcp","ecosystem":"npm","purl":"pkg:npm/%40euqns%2Fnudge-mcp"},"versions":["0.2.1","0.1.0","0.1.1","0.2.0"],"database_specific":{"indicators":{"evidence_files":[{"path":"dist/setup.js","tlsh":"8cd161097af3323316b35b6a472b95717335a0036428da98fb1dd2a51f8982de1972dc","sha256":"7bca8350663bd5439605596ca67b34a966d47c3f2f8b03fc5e5d88421a80cdcc"}],"package_integrity":[{"hashes":{"sha1":"af082f6ede3d1f2e11efe2f499f7032b05b07b36","sha512_sri":"sha512-sE0cTblO1VsiQivnPMAbWZabcxchKZvpOG7tTGbWWvLLTG0CVcI+8DyquA9Cqh/inf4zGbjcqui4/RW/+5QukA=="},"filename":"nudge-mcp-0.2.1.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@euqns/nudge-mcp/MAL-2026-4387.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}