VYPR

npm · Malicious package advisory

Malware

create-docs-mcp

MAL-2026-5397

Malicious code in create-docs-mcp (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fd4381fd77419441a2eefe6b22adef6c9f5adfe1b92be5d071abd5908fdf8647)
Package is published at version 9999.99.99 — the canonical high-version override used in dependency-confusion attacks against private/internal package names — with a description self-identifying as a name referenced in a private repo. On `npm install`, postinstall.js POSTs JSON to https://ddactic-lab.online/sc/beacon containing package name/version, Node version, OS, CI detection, and the installer's GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, and GITHUB_WORKFLOW environment variables when present. A DNS-encoded fallback is also emitted to subdomains of b.ddactic-lab.online to bypass HTTP egress filtering. The package's library entry point is a no-op self-require; its sole functional behavior is the install-time recon beacon. Installer harm: private repository slugs, owner names, and workflow identifiers leak from CI pipelines to an attacker-controlled domain on every install, identifying which organizations are vulnerable to follow-on dependency-confusion attacks against this name.

Compromised versions (1)

  • 9999.99.99

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.