{"id":"MAL-2026-5402","summary":"Malicious code in screenpipe-mcp-http (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (28109405008c1eaee3b3702337a3278723bb7e70e01929a4b76132b19c705790)\nscreenpipe-mcp-http@9999.99.99 is a dependency-confusion lure that beacons installer-identifying data to an attacker-controlled domain on npm install. The package.json declares an absurdly high version (9999.99.99) with description 'npm 404 error referenced in screenpipe/screenpipe', the canonical shape of a dependency-confusion claim against an unregistered name referenced by an upstream project. A postinstall hook (postinstall.js) POSTs a JSON body to https://ddactic-lab.online/sc/beacon containing the npm package name/version, Node version, OS, CI detection flag, and GitHub Actions metadata (GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, GITHUB_WORKFLOW). To bypass corporate HTTP egress filters, the same data is also encoded into a subdomain of b.ddactic-lab.online and exfiltrated via DNS lookup. index.js further recursively requires its own name (`module.exports = require('screenpipe-mcp-http')`), so any internal upstream reference that resolves through npm pulls this attacker-controlled package.\n","modified":"2026-06-09T17:16:27.960536596Z","published":"2026-06-09T16:05:14Z","database_specific":{"malicious-packages-origins":[{"sha256":"28109405008c1eaee3b3702337a3278723bb7e70e01929a4b76132b19c705790","id":"IN-MAL-2026-004953","versions":["9999.99.99"],"modified_time":"2026-06-09T16:05:14Z","source":"amazon-inspector","import_time":"2026-06-09T16:59:44.135314554Z"},{"sha256":"46c309150113bf04c90487208489e8a26337731319956c1183e7d8e26806a0e0","id":"IN-MAL-2026-004954","versions":["9999.99.99"],"modified_time":"2026-06-09T16:05:14Z","source":"amazon-inspector","import_time":"2026-06-09T16:59:44.206389494Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/screenpipe-mcp-http/v/9999.99.99"}],"affected":[{"package":{"name":"screenpipe-mcp-http","ecosystem":"npm","purl":"pkg:npm/screenpipe-mcp-http"},"versions":["9999.99.99"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/screenpipe-mcp-http/MAL-2026-5402.json","indicators":{"package_integrity":[{"hashes":{"sha1":"c4497cb21f7fb79619b7cc072d8ac2f513dbe20c","sha512_sri":"sha512-JddeLgur3GflpVA9wAG16HSSThBAftsycUc/JTa30JOLU/rlU/Tvr+pXAD9mcyF6JZRrPb6W6gbr7in9oq6Nxw=="},"filename":"screenpipe-mcp-http-9999.99.99.tgz"}],"evidence_files":[{"sha256":"e5c7efaa25bd6fc20c40fe6e39a40957043022e78b5ec6d9ad2b9e49a3ef75c8","path":"postinstall.js","tlsh":"e241a755829891340fe122c9b852c8165d7bd49633e799f0774d15226fc92bc03b2fdf"},{"sha256":"9874231134b39da18e297499e46a85ad612616a4d395396e4e7a3ee74b0252c6","path":"package.json","tlsh":"3ff0aed98d6547b31ed42987cc5a114eb7324c278444780a13d70838974fa6744fd219"}],"domains":["ddactic-lab.online","screenpipe-mcp-http.none.1a63a58b.b.ddactic-lab.online","screenpipe-mcp-http.none.1a63a58b.b.ddactic-lab.online.ec2.internal"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}