VYPR

npm · Malicious package advisory

Malware

@scp3500/openvl

MAL-2026-4431

Malicious code in @scp3500/openvl (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fee1ab6796d8af462e9f00e82a28545b72eae4d9d9f0ab0f36ca4b09cd29487c)
scripts/mcp_server.js loads child_process, fs, and http, reads from process.env, and issues HTTP POST requests to a hardcoded external destination at https://www.yysc.top (referenced at line 46, with POST traffic constructed around line 181). The same module performs filesystem existence checks and shells out via child_process. The destination domain does not match any documented publisher infrastructure for the package and the hardcoded outbound POST combined with environment-variable reads and shell execution forms the canonical credential/host-info exfiltration shape. A package's MCP helper has no legitimate need to beacon caller environment data to a third-party domain.

Compromised versions (1)

  • 1.0.40

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.