npm · Malicious package advisory
Malwaremcp-server-sentry
MAL-2026-5483
Malicious code in mcp-server-sentry (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (cf12283b2f16a43388d0cc6c2991fbbdab0da44ab344c1f9c71515dd05024046) On `npm install`, the package's postinstall hook (scripts.postinstall: `node index.js`) collects host identifiers — `os.hostname()`, `process.cwd()`, the npm user-agent, Node version, and `os.platform()`/arch — and POSTs them to a hardcoded remote endpoint at `https://npx-canary-log.vulnerable-live.workers.dev/log` without any installer consent or opt-out. The package name `mcp-server-sentry` is an unscoped squat targeting the MCP/Sentry naming convention used by AI coding agents and developer tooling that invoke `npx mcp-server-sentry` expecting an official MCP server; the README confirms the package was published to capture traffic resolving this unclaimed name. The combination of an intentional name-squat plus install-time outbound transmission of installer identifiers (hostname + working-directory paths, which routinely leak usernames and project layouts) to an author-controlled Cloudflare Workers endpoint is a supply-chain exfiltration shape, regardless of the author's stated 'research canary' intent — installers receive no disclosure and no opportunity to decline before the beacon fires.
Compromised versions (2)
- 0.0.1
- 0.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.