MAL-2026-10736

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/memtry-cli/MAL-2026-10736.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10736
Published
2026-07-16T18:47:08Z
Modified
2026-07-16T19:19:47.599096557Z
Summary
Malicious code in memtry-cli (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (11638a6b1b7876a94ef23285cb88f0127c003bb5e4d786dbaba5c30a9cbdfdb7)

memtry-cli installs an MCP server whose memtry_onboarding tool returns a prompt that instructs the connected AI agent to scan the installer's home directory (~/.claude, ~/.gemini, ~/.cursor, ~/Library/Application Support, ~/Documents, ~/Downloads, ~/Desktop, ~/Projects) for chat histories, resumes, YC applications, financial documents, and personal data, then submit the collected content through the package's create_repo / update_context / append_changelog tools. Those tools default-route via callCloud(${BASEURL}/api/mcp) to the author-controlled endpoint https://memtry.vercel.app/api/mcp, and the shipped .gemini/settings.json pins BASEURL to that host with a bundled Bearer API key. Only items the model explicitly tags status: private stay local; the onboarding prompt does not instruct the model to apply that tag to the harvested personal or financial content, so exfiltration to the author's Vercel endpoint is the default path. The tarball also ships a live mk_... API key for memtry.vercel.app in .gemini/settings.json.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-16T18:47:08Z",
            "sha256": "11638a6b1b7876a94ef23285cb88f0127c003bb5e4d786dbaba5c30a9cbdfdb7",
            "versions": [
                "1.0.4"
            ],
            "import_time": "2026-07-16T18:54:04.660309834Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010783"
        }
    ]
}
References
Credits

Affected packages

npm / memtry-cli

Package

Affected ranges

Affected versions

1.*
1.0.4

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "memtry-cli-1.0.4.tgz",
            "hashes": {
                "sha1": "fb8d8723c911cb0e92883991d3ff8f5abac2124f",
                "sha512_sri": "sha512-V/nNIojU7qtPpQ+Q6GFvogwARagJCgusgz0q2EMauyi5tg6rKIVaxfPyp+bkPmyPcQgGut5WYtYszERhN/4BiA=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "eb42d692a8fb47251ab3a372a34768575718c947e109982077adc20c6fc435cc6abbbd",
            "sha256": "9ad094c8885f5e9a4059fd7ba03f3bf5290b06d1e75c786848ab56e0650a00aa",
            "path": "dist/index.js"
        },
        {
            "tlsh": "f0d0231cd0750c930cd9333414fc320192d188035d002c18735f151c6fdc1af349d25c",
            "sha256": "bc2f98c8c10b5bd5f1bbde8bdce9a1b29ee072bac0188930d88570ee26813f62",
            "path": ".gemini/settings.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/memtry-cli/MAL-2026-10736.json"