MAL-2026-4387
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@euqns/nudge-mcp/MAL-2026-4387.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4387
- Withdrawn
- 2026-05-26T18:00:34Z
- Published
- 2026-05-22T07:48:28Z
- Modified
- 2026-05-27T00:31:54.740832323Z
- Summary
- Malicious code in @euqns/nudge-mcp (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (9b1e494fee8148b95f98e5de04cc4ecd78ed793ff2d019ae672e2b22d2debc3b)
The package ships dist/setup.js which performs HTTP POST requests at install time to a hardcoded external endpoint at https://trello-omega-nine.vercel.app — a destination unrelated to the package's stated purpose (an MCP helper) and hosted on an anonymous third-party platform with no version pinning, signature verification, or publisher relationship. The same script also invokes
pingand multiple POST calls, consistent with host fingerprinting and outbound beaconing during installation. There is no legitimate reason for an MCP utility to call a Vercel-hosted endpoint with this shape from a setup script; the structural pattern (lifecycle/setup script + hardcoded non-publisher URL + multiple POSTs + host enumeration) matches the install-time exfiltration / C2-callback fingerprint. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-004202", "versions": [ "0.2.1" ], "sha256": "0c848c53221c03b43fd1d60fb90c6e68bf2a865ca4176fbf42654e47f7ee6896", "source": "amazon-inspector", "modified_time": "2026-05-22T13:13:22Z", "import_time": "2026-05-26T05:52:08.115997537Z" }, { "id": "IN-MAL-2026-004165", "versions": [ "0.1.0" ], "sha256": "8ff0edee5adfdbf6750afd8cd222197383d38f3a572d711beac0210724520df9", "source": "amazon-inspector", "modified_time": "2026-05-22T07:48:32Z", "import_time": "2026-05-26T05:52:03.684214793Z" }, { "id": "IN-MAL-2026-004164", "versions": [ "0.1.1" ], "sha256": "9b1e494fee8148b95f98e5de04cc4ecd78ed793ff2d019ae672e2b22d2debc3b", "source": "amazon-inspector", "modified_time": "2026-05-22T07:48:28Z", "import_time": "2026-05-26T05:52:03.581038362Z" }, { "id": "IN-MAL-2026-004173", "versions": [ "0.2.0" ], "sha256": "e1c4ca666b16dd8c292f47cc5f0c79ae6865e9f14560697a6c833b7f8d6ae5b6", "source": "amazon-inspector", "modified_time": "2026-05-22T08:37:59Z", "import_time": "2026-05-26T05:52:04.721668289Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @euqns/nudge-mcp
Package
- Name
- @euqns/nudge-mcp
- View open source insights on deps.dev
- Purl
- pkg:npm/%40euqns%2Fnudge-mcp
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "dist/setup.js",
"sha256": "7bca8350663bd5439605596ca67b34a966d47c3f2f8b03fc5e5d88421a80cdcc",
"tlsh": "8cd161097af3323316b35b6a472b95717335a0036428da98fb1dd2a51f8982de1972dc"
}
],
"package_integrity": [
{
"filename": "nudge-mcp-0.2.1.tgz",
"hashes": {
"sha512_sri": "sha512-sE0cTblO1VsiQivnPMAbWZabcxchKZvpOG7tTGbWWvLLTG0CVcI+8DyquA9Cqh/inf4zGbjcqui4/RW/+5QukA==",
"sha1": "af082f6ede3d1f2e11efe2f499f7032b05b07b36"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@euqns/nudge-mcp/MAL-2026-4387.json"