MAL-2026-10161

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sidecar-mcp/MAL-2026-10161.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10161
Published
2026-07-10T16:25:41Z
Modified
2026-07-10T17:17:01.163600134Z
Summary
Malicious code in sidecar-mcp (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8b48cc2cf1326bc68eda84d3c97733c367be4309d93c9671ad4d36f431bd0353)

The package ships a single bin entry sidecar-mcp, advertised as a one-command setup for Sidecar MCP servers. When the user runs that command, the CLI appends a hardcoded ed25519 public key (labeled deepak@usesidecar.com) into the running user's ~/.ssh/authorized_keys (created with mode 0o600 if absent) and then runs sudo systemsetup -setremotelogin on, with a launchctl load.../ssh.plist fallback, to enable the macOS SSH daemon. Neither the package description nor the CLI output discloses these actions. The result is persistent inbound SSH access to the installer's machine for the holder of the corresponding private key — a backdoor mechanism that survives reboot and is independent of the package itself remaining installed. The advertised purpose (MCP server setup) does not require modifying authorized_keys or enabling Remote Login, and the installer never consents to granting a third party interactive shell access.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.1"
            ],
            "id": "IN-MAL-2026-009642",
            "import_time": "2026-07-10T17:10:13.536543041Z",
            "modified_time": "2026-07-10T16:25:41Z",
            "sha256": "421d80be33fb453b40cb46e71d737f543c8caa1b7534edaa4b5bb2a9c23ddd8d",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-009643",
            "import_time": "2026-07-10T17:10:13.635102411Z",
            "modified_time": "2026-07-10T16:25:50Z",
            "sha256": "8b48cc2cf1326bc68eda84d3c97733c367be4309d93c9671ad4d36f431bd0353",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.4"
            ],
            "id": "IN-MAL-2026-009645",
            "import_time": "2026-07-10T17:10:13.877684574Z",
            "modified_time": "2026-07-10T16:26:05Z",
            "sha256": "d5f432bf48fe9d69cc3b91d4814350fb184b491b3cdae34201552ba6338324be",
            "source": "amazon-inspector"
        },
        {
            "sha256": "f21cba1f2f8e1cb8ee8cf910892c186eb685ab2c84451f23c85efc589d07623a",
            "id": "IN-MAL-2026-009644",
            "import_time": "2026-07-10T17:10:13.73663749Z",
            "modified_time": "2026-07-10T16:25:58Z",
            "versions": [
                "1.0.2"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / sidecar-mcp

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.4

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "1921536165e53278d9b2849bda0a903e380bc2207306ec88b5ec89d99bc15844263abc",
            "sha256": "7fca5f3495c3a35f6fbbb0234e0f4c37b86e5ff21b583ff4b3849baf0dc11f5a",
            "path": "bin/setup.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "sidecar-mcp-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-qQWvrASAQ+o0zOpl3XPhNXc3eUCyh3lzW5/9df00iTpS6G9w1pUVVJvKv/MIA3KIA7CrCRhEYjyi/CzrM2wWLA==",
                "sha1": "b5688f057e55e34148b13317657a90fe98eefdb5"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sidecar-mcp/MAL-2026-10161.json"