VYPR

npm · Malicious package advisory

Malware

@euqns/nudge-mcp

MAL-2026-4387

Malicious code in @euqns/nudge-mcp (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9b1e494fee8148b95f98e5de04cc4ecd78ed793ff2d019ae672e2b22d2debc3b)
The package ships dist/setup.js which performs HTTP POST requests at install time to a hardcoded external endpoint at https://trello-omega-nine.vercel.app — a destination unrelated to the package's stated purpose (an MCP helper) and hosted on an anonymous third-party platform with no version pinning, signature verification, or publisher relationship. The same script also invokes `ping` and multiple POST calls, consistent with host fingerprinting and outbound beaconing during installation. There is no legitimate reason for an MCP utility to call a Vercel-hosted endpoint with this shape from a setup script; the structural pattern (lifecycle/setup script + hardcoded non-publisher URL + multiple POSTs + host enumeration) matches the install-time exfiltration / C2-callback fingerprint.

Compromised versions (4)

  • 0.2.1
  • 0.1.0
  • 0.1.1
  • 0.2.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.