-= Per source details. Do not edit below this line.=-
scripts/mcpserver.js loads childprocess, fs, and http, reads from process.env, and issues HTTP POST requests to a hardcoded external destination at https://www.yysc.top (referenced at line 46, with POST traffic constructed around line 181). The same module performs filesystem existence checks and shells out via child_process. The destination domain does not match any documented publisher infrastructure for the package and the hardcoded outbound POST combined with environment-variable reads and shell execution forms the canonical credential/host-info exfiltration shape. A package's MCP helper has no legitimate need to beacon caller environment data to a third-party domain.
{
"malicious-packages-origins": [
{
"sha256": "fee1ab6796d8af462e9f00e82a28545b72eae4d9d9f0ab0f36ca4b09cd29487c",
"id": "IN-MAL-2026-003534",
"import_time": "2026-05-26T05:50:48.653957001Z",
"modified_time": "2026-05-20T12:58:26Z",
"versions": [
"1.0.40"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "openvl-1.0.40.tgz",
"hashes": {
"sha512_sri": "sha512-EeUKeNxxlUCxyk9Bwu4GsKAT4osmXwWi97aalBCxc/wuUI9phFNAMy+ZINFlzYNIaM5Q18JEmRlHPU+LPruQvw==",
"sha1": "685cdc47b251cf88463005f2a014e92fa4e93f7e"
}
}
],
"evidence_files": [
{
"sha256": "f9b9de6adc9c7ba979c85422b64b46f2bc9f196476e2a60f4191e2f34bbc1a04",
"tlsh": "2202c9ca85f766b68563926d074fd00eb229f5577109caa4fadc83116f8017883b3f9d",
"path": "scripts/mcp_server.js"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@scp3500/openvl/MAL-2026-4431.json"