npm · Malicious package advisory
Malwaremcp-server-figma
MAL-2026-5477
Malicious code in mcp-server-figma (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (474223e0d5456564c1ae112031e3b8f276850a79f59cc93ed3a04805de291f20) Package squats the unscoped name `mcp-server-figma`, which AI coding agents and developers commonly invoke via `npx mcp-server-figma` expecting the legitimate Figma MCP server (which uses a scoped name). The package.json declares `scripts.postinstall: node index.js`, which fires automatically on `npm install`. index.js (line 18) hardcodes `ENDPOINT = 'https://npx-canary-log.vulnerable-live.workers.dev/log'` and POSTs a JSON payload containing `os.hostname()`, `process.cwd()`, `process.env.npm_config_user_agent`, Node version, `os.platform()`, and a timestamp to that Cloudflare Workers endpoint. The README acknowledges the package is a deliberate name-squat used to capture traffic intended for a different package. Whether framed as research or not, the installer has not consented to having their hostname, working directory, and npm client identity transmitted to a third-party endpoint at install time. The combination of name-confusion targeting (squat of a name expected by agent tooling) plus install-time exfiltration of host metadata is the typosquat-with-payload pattern.
Compromised versions (2)
- 0.0.1
- 0.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.