VYPR

npm · Malicious package advisory

Malware

cue-mcp

MAL-2026-6294

Malicious code in cue-mcp (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5dce71f7cd453bd73a138279dd78ebc607d7c4f6b171bd3b76c7f456a6eb907a)
The package's postinstall.js script runs automatically on `npm install` and collects host identifying data (os.hostname()) along with process environment variables (process.env), then transmits the data over HTTPS. This shape — system-information harvesting at install time and outbound network transmission via the `https` module — is a classic install-time exfiltration pattern. There is no legitimate purpose served by reading the installer's environment variables and hostname during postinstall for a package of this kind. Environment variables on developer and CI machines routinely contain credentials (NPM_TOKEN, GITHUB_TOKEN, AWS keys, CI secrets), so this beacon constitutes credential exfiltration risk against any system that installs the package.

Compromised versions (1)

  • 9999.99.99

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.