npm · Malicious package advisory
Malwarescreenpipe-mcp-http
MAL-2026-5402
Malicious code in screenpipe-mcp-http (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (28109405008c1eaee3b3702337a3278723bb7e70e01929a4b76132b19c705790)
screenpipe-mcp-http@9999.99.99 is a dependency-confusion lure that beacons installer-identifying data to an attacker-controlled domain on npm install. The package.json declares an absurdly high version (9999.99.99) with description 'npm 404 error referenced in screenpipe/screenpipe', the canonical shape of a dependency-confusion claim against an unregistered name referenced by an upstream project. A postinstall hook (postinstall.js) POSTs a JSON body to https://ddactic-lab.online/sc/beacon containing the npm package name/version, Node version, OS, CI detection flag, and GitHub Actions metadata (GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, GITHUB_WORKFLOW). To bypass corporate HTTP egress filters, the same data is also encoded into a subdomain of b.ddactic-lab.online and exfiltrated via DNS lookup. index.js further recursively requires its own name (`module.exports = require('screenpipe-mcp-http')`), so any internal upstream reference that resolves through npm pulls this attacker-controlled package.
Compromised versions (1)
- 9999.99.99
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.