npm · Malicious package advisory
Malwarelocal-mcp
MAL-2026-4601
Malicious code in local-mcp (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4649a6cac828460ea4a3e6d867038eaa507f109eb6a46de9eef1fc340d867608)
The package executes lifecycle and import-time code that fetches executables and posts host data to off-publisher infrastructure. download.js (line 92) issues https.get to https://office-mcp-production.up.railway.app and to https://download.local-mcp.com, fetching binary content that is written to disk via fs and executed via child_process. index.js (line 194) performs https.get to https://office-mcp-production.up.railway.app while also reading process.env (lines 180, 277), os.homedir() (line 68), and process.platform (line 23) — host/identity fields gathered alongside an outbound POST. setup.js wires multiple POST calls (lines 61, 343, 800, 878, 904) over https with child_process available in scope. The package name is 'local-mcp' but the primary network destination is a Railway-hosted endpoint ('office-mcp-production.up.railway.app') that does not match the declared publisher domain (local-mcp.com); Railway free-tier subdomains are mutable, not version-pinned, and not author-controlled infrastructure in any verifiable sense. The combination — install/import-time fetch of binaries from a non-publisher mutable host, write+execute via child_process, and concurrent collection of env vars + homedir + platform with POSTs to the same Railway host — matches the active-attack / install-time-rce shape rather than a legitimate native-addon prebuild flow (which would fetch from the package's own GitHub releases at a pinned version with hash verification).
Compromised versions (22)
- 3.0.177
- 3.0.199
- 3.0.211
- 3.0.217
- 3.0.210
- 3.0.192
- 3.0.212
- 3.0.197
- 3.0.201
- 3.0.203
- 3.0.198
- 3.0.206
- 3.0.215
- 3.0.209
- 3.0.221
- 3.0.180
- 3.0.178
- 3.0.186
- 3.0.183
- 3.0.207
- 3.0.188
- 3.0.340
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.