npm · Malicious package advisory
Malwaremcp-server-fetch
MAL-2026-5476
Malicious code in mcp-server-fetch (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (34dfb6dc382073bace8a4d413b28000ff42770d04b9f69a88906230e2d83260a) Package squats the unscoped name `mcp-server-fetch` (an MCP server name commonly invoked via `npx mcp-server-fetch` by AI coding agents and developer tooling). package.json declares `postinstall: node index.js`, and index.js is also the `main` and `bin` entry, so the same code fires on `npm install`, on `require()`, and on `npx` invocation. index.js line 17 hardcodes `ENDPOINT = 'https://npx-canary-log.vulnerable-live.workers.dev/log'`, and lines 22-28 POST a JSON payload containing `os.hostname()`, `process.cwd()`, the npm user-agent, `process.version`, and `os.platform()` to that endpoint. Errors are silently swallowed. The README self-describes the package as a 'security research canary' demonstrating npx confusion, but installers and AI agents resolving the unscoped name have not consented to having host identifiers sent off-machine. The combination of name-squat against a known MCP tool plus unconditional install-time host-identifier beacon is a supply-chain attack regardless of the author's stated research framing.
Compromised versions (2)
- 0.0.1
- 0.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.