MAL-2025-48558
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/demo-mercadopago-mcp-server/MAL-2025-48558.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2025-48558
- Published
- 2025-10-23T13:00:45Z
- Modified
- 2025-12-02T10:09:13.911403Z
- Summary
- Malicious code in demo-mercadopago-mcp-server (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: ossf-package-analysis (a777ccccffbf142e34b0081be4681c4ffcb72aa584b99d15bfd58878e6085881)
The OpenSSF Package Analysis project identified 'demo-mercadopago-mcp-server' @ 99.0.3 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "modified_time": "2025-10-23T13:00:45Z", "import_time": "2025-10-23T13:15:25.01209773Z", "versions": [ "99.0.3" ], "source": "ossf-package-analysis", "sha256": "a777ccccffbf142e34b0081be4681c4ffcb72aa584b99d15bfd58878e6085881" }, { "modified_time": "2025-10-23T14:39:23Z", "import_time": "2025-10-23T15:06:43.657977549Z", "versions": [ "99.0.5" ], "source": "ossf-package-analysis", "sha256": "567a3e98973e57d99aff63ebcda420376116ea0f52527e59319e1601718fded6" }, { "versions": [ "99.0.0", "99.0.1", "99.0.2", "99.0.3", "99.0.4", "99.0.5" ], "modified_time": "2025-12-01T13:06:56Z", "import_time": "2025-12-02T09:09:43.629452817Z", "id": "RLMA-2025-05721", "source": "reversing-labs", "sha256": "fa1dce593a9aa27035b2c3fa45594bcb230196511397654ce37de76ebaaff7ad" } ] }- References
-
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
- ReversingLabs - FINDER
-
Affected packages
npm / demo-mercadopago-mcp-server
Package
- Name
- demo-mercadopago-mcp-server
- View open source insights on deps.dev
- Purl
- pkg:npm/demo-mercadopago-mcp-server