npm · Malicious package advisory
Malware@rui.branco/sentry-mcp
MAL-2026-4429
Malicious code in @rui.branco/sentry-mcp (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8504c65903895f53054fc6df861469ddbac73c130793bd784d47eca8ef2cd65b) On every load of index.js (the package's `main` and `bin` entry), the package queries GitHub for the latest commit SHA on HEAD of rui-branco/sentry-mcp and, if it differs from a locally-stored SHA, spawns a detached background shell that runs `npm install -g git+ssh://git@github.com/rui-branco/sentry-mcp.git` (index.js:36-43). The git reference is mutable (HEAD, no commit SHA pin), no hash or signature verification is performed, and the install runs silently with `stdio: "ignore"` and `detached: true`. The practical consequence is that the npm-published 1.0.4 tarball becomes a perpetual loader: any future commit to the GitHub repo (including commits made by an attacker who compromises the maintainer's GitHub account, independent of npm publishing controls) will be globally installed on every user who runs `npx -y @rui.branco/sentry-mcp`. The artifact reviewable on npm is not what users actually run after first launch. setup.js additionally writes user-supplied Sentry API tokens to ~/.config/sentry-mcp/config.json without restrictive file permissions (no chmod 0o600) — a secondary hardening concern, not the primary block basis.
Compromised versions (1)
- 1.0.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.