VYPR

npm · Malicious package advisory

Malware

local-mcp

MAL-2026-4601

Malicious code in local-mcp (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4649a6cac828460ea4a3e6d867038eaa507f109eb6a46de9eef1fc340d867608)
The package executes lifecycle and import-time code that fetches executables and posts host data to off-publisher infrastructure. download.js (line 92) issues https.get to https://office-mcp-production.up.railway.app and to https://download.local-mcp.com, fetching binary content that is written to disk via fs and executed via child_process. index.js (line 194) performs https.get to https://office-mcp-production.up.railway.app while also reading process.env (lines 180, 277), os.homedir() (line 68), and process.platform (line 23) — host/identity fields gathered alongside an outbound POST. setup.js wires multiple POST calls (lines 61, 343, 800, 878, 904) over https with child_process available in scope. The package name is 'local-mcp' but the primary network destination is a Railway-hosted endpoint ('office-mcp-production.up.railway.app') that does not match the declared publisher domain (local-mcp.com); Railway free-tier subdomains are mutable, not version-pinned, and not author-controlled infrastructure in any verifiable sense. The combination — install/import-time fetch of binaries from a non-publisher mutable host, write+execute via child_process, and concurrent collection of env vars + homedir + platform with POSTs to the same Railway host — matches the active-attack / install-time-rce shape rather than a legitimate native-addon prebuild flow (which would fetch from the package's own GitHub releases at a pinned version with hash verification).

Compromised versions (22)

  • 3.0.177
  • 3.0.199
  • 3.0.211
  • 3.0.217
  • 3.0.210
  • 3.0.192
  • 3.0.212
  • 3.0.197
  • 3.0.201
  • 3.0.203
  • 3.0.198
  • 3.0.206
  • 3.0.215
  • 3.0.209
  • 3.0.221
  • 3.0.180
  • 3.0.178
  • 3.0.186
  • 3.0.183
  • 3.0.207
  • 3.0.188
  • 3.0.340

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.