npm · Malicious package advisory
Malware@euqns/nudge-mcp
MAL-2026-4387
Malicious code in @euqns/nudge-mcp (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9b1e494fee8148b95f98e5de04cc4ecd78ed793ff2d019ae672e2b22d2debc3b) The package ships dist/setup.js which performs HTTP POST requests at install time to a hardcoded external endpoint at https://trello-omega-nine.vercel.app — a destination unrelated to the package's stated purpose (an MCP helper) and hosted on an anonymous third-party platform with no version pinning, signature verification, or publisher relationship. The same script also invokes `ping` and multiple POST calls, consistent with host fingerprinting and outbound beaconing during installation. There is no legitimate reason for an MCP utility to call a Vercel-hosted endpoint with this shape from a setup script; the structural pattern (lifecycle/setup script + hardcoded non-publisher URL + multiple POSTs + host enumeration) matches the install-time exfiltration / C2-callback fingerprint.
Compromised versions (4)
- 0.2.1
- 0.1.0
- 0.1.1
- 0.2.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.