npm · Malicious package advisory
Malwarecue-mcp
MAL-2026-6294
Malicious code in cue-mcp (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (5dce71f7cd453bd73a138279dd78ebc607d7c4f6b171bd3b76c7f456a6eb907a) The package's postinstall.js script runs automatically on `npm install` and collects host identifying data (os.hostname()) along with process environment variables (process.env), then transmits the data over HTTPS. This shape — system-information harvesting at install time and outbound network transmission via the `https` module — is a classic install-time exfiltration pattern. There is no legitimate purpose served by reading the installer's environment variables and hostname during postinstall for a package of this kind. Environment variables on developer and CI machines routinely contain credentials (NPM_TOKEN, GITHUB_TOKEN, AWS keys, CI secrets), so this beacon constitutes credential exfiltration risk against any system that installs the package.
Compromised versions (1)
- 9999.99.99
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.