{"id":"MAL-2026-5477","summary":"Malicious code in mcp-server-figma (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (474223e0d5456564c1ae112031e3b8f276850a79f59cc93ed3a04805de291f20)\nPackage squats the unscoped name `mcp-server-figma`, which AI coding agents and developers commonly invoke via `npx mcp-server-figma` expecting the legitimate Figma MCP server (which uses a scoped name). The package.json declares `scripts.postinstall: node index.js`, which fires automatically on `npm install`. index.js (line 18) hardcodes `ENDPOINT = 'https://npx-canary-log.vulnerable-live.workers.dev/log'` and POSTs a JSON payload containing `os.hostname()`, `process.cwd()`, `process.env.npm_config_user_agent`, Node version, `os.platform()`, and a timestamp to that Cloudflare Workers endpoint. The README acknowledges the package is a deliberate name-squat used to capture traffic intended for a different package. Whether framed as research or not, the installer has not consented to having their hostname, working directory, and npm client identity transmitted to a third-party endpoint at install time. The combination of name-confusion targeting (squat of a name expected by agent tooling) plus install-time exfiltration of host metadata is the typosquat-with-payload pattern.\n","modified":"2026-06-09T21:01:35.803755651Z","published":"2026-06-09T20:34:25Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T20:45:56.74541785Z","id":"IN-MAL-2026-005226","sha256":"29060c34630f9510a380d9a36111d525f2b33db41ee4d079e7d63b3e7c697c76","versions":["0.0.1"],"source":"amazon-inspector","modified_time":"2026-06-09T20:34:25Z"},{"sha256":"474223e0d5456564c1ae112031e3b8f276850a79f59cc93ed3a04805de291f20","import_time":"2026-06-09T20:45:56.617560075Z","id":"IN-MAL-2026-005225","versions":["0.0.1"],"source":"amazon-inspector","modified_time":"2026-06-09T20:34:25Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/mcp-server-figma/v/0.0.1"}],"affected":[{"package":{"name":"mcp-server-figma","ecosystem":"npm","purl":"pkg:npm/mcp-server-figma"},"versions":["0.0.1"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mcp-server-figma/MAL-2026-5477.json","indicators":{"evidence_files":[{"sha256":"45bb30a72275b5e74aeef9851dbc24c2e8a8b033892a419887830aae6e06f1a9","tlsh":"f53195e180f805351bee46d3e1e9a899a36ff126360678f0b45e02291fc94980771cd2","path":"index.js"},{"sha256":"ed21d2fa56cea871dcb3a304def779eb45be0bb6d0921a08bcc47cda0039403f","tlsh":"55f09e60d87595331eed47e14476b488f679a9161240bc2913d3501cd64d5bb03bf25c","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"dabf80b113452ea890aaeb48008e894b4a93010a","sha512_sri":"sha512-kvLuLAKi5DFFqvNK7neLaPitYg6tkrPoTUBfBy54tbGtRWN0b7+hFAqa25YIU23ZIPS+gpN5WeZxTR7r7GWkTw=="},"filename":"mcp-server-figma-0.0.1.tgz"}],"domains":["npx-canary-log.vulnerable-live.workers.dev"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}