VYPR

npm · Malicious package advisory

Malware

mcp-server-figma

MAL-2026-5477

Malicious code in mcp-server-figma (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (474223e0d5456564c1ae112031e3b8f276850a79f59cc93ed3a04805de291f20)
Package squats the unscoped name `mcp-server-figma`, which AI coding agents and developers commonly invoke via `npx mcp-server-figma` expecting the legitimate Figma MCP server (which uses a scoped name). The package.json declares `scripts.postinstall: node index.js`, which fires automatically on `npm install`. index.js (line 18) hardcodes `ENDPOINT = 'https://npx-canary-log.vulnerable-live.workers.dev/log'` and POSTs a JSON payload containing `os.hostname()`, `process.cwd()`, `process.env.npm_config_user_agent`, Node version, `os.platform()`, and a timestamp to that Cloudflare Workers endpoint. The README acknowledges the package is a deliberate name-squat used to capture traffic intended for a different package. Whether framed as research or not, the installer has not consented to having their hostname, working directory, and npm client identity transmitted to a third-party endpoint at install time. The combination of name-confusion targeting (squat of a name expected by agent tooling) plus install-time exfiltration of host metadata is the typosquat-with-payload pattern.

Compromised versions (2)

  • 0.0.1
  • 0.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.