{"id":"MAL-2026-6294","summary":"Malicious code in cue-mcp (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5dce71f7cd453bd73a138279dd78ebc607d7c4f6b171bd3b76c7f456a6eb907a)\nThe package's postinstall.js script runs automatically on `npm install` and collects host identifying data (os.hostname()) along with process environment variables (process.env), then transmits the data over HTTPS. This shape — system-information harvesting at install time and outbound network transmission via the `https` module — is a classic install-time exfiltration pattern. There is no legitimate purpose served by reading the installer's environment variables and hostname during postinstall for a package of this kind. Environment variables on developer and CI machines routinely contain credentials (NPM_TOKEN, GITHUB_TOKEN, AWS keys, CI secrets), so this beacon constitutes credential exfiltration risk against any system that installs the package.\n","modified":"2026-06-23T14:31:19.960014179Z","published":"2026-06-23T14:10:26Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["9999.99.99"],"import_time":"2026-06-23T14:23:02.623475392Z","sha256":"5dce71f7cd453bd73a138279dd78ebc607d7c4f6b171bd3b76c7f456a6eb907a","modified_time":"2026-06-23T14:10:26Z","id":"IN-MAL-2026-007199"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cue-mcp/v/9999.99.99"}],"affected":[{"package":{"name":"cue-mcp","ecosystem":"npm","purl":"pkg:npm/cue-mcp"},"versions":["9999.99.99"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cue-mcp/MAL-2026-6294.json","indicators":{"evidence_files":[{"tlsh":"7951d6664a98d2350ba226edf843d4235dbbd05637d698f0b70d52622fc51ac0272bdf","sha256":"c92690a6cce612b551d38a96579679de4391e2815d486dcb146d2c2257db6ead","path":"postinstall.js"}],"package_integrity":[{"filename":"cue-mcp-9999.99.99.tgz","hashes":{"sha512_sri":"sha512-Y5alvnqilj5ZSJXw3qlS8IsxaZRlwPWnLPJvLpADsDvtngpup75hOMUoLmsj134HbqIMb18lL409vQBtS+2F5w==","sha1":"fc918fa13c4975f4f4408d7230cd921166029645"}}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}