MAL-2026-5477

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mcp-server-figma/MAL-2026-5477.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5477
Published
2026-06-09T20:34:25Z
Modified
2026-06-09T21:01:35.803755651Z
Summary
Malicious code in mcp-server-figma (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (474223e0d5456564c1ae112031e3b8f276850a79f59cc93ed3a04805de291f20)

Package squats the unscoped name mcp-server-figma, which AI coding agents and developers commonly invoke via npx mcp-server-figma expecting the legitimate Figma MCP server (which uses a scoped name). The package.json declares scripts.postinstall: node index.js, which fires automatically on npm install. index.js (line 18) hardcodes ENDPOINT = 'https://npx-canary-log.vulnerable-live.workers.dev/log' and POSTs a JSON payload containing os.hostname(), process.cwd(), process.env.npm_config_user_agent, Node version, os.platform(), and a timestamp to that Cloudflare Workers endpoint. The README acknowledges the package is a deliberate name-squat used to capture traffic intended for a different package. Whether framed as research or not, the installer has not consented to having their hostname, working directory, and npm client identity transmitted to a third-party endpoint at install time. The combination of name-confusion targeting (squat of a name expected by agent tooling) plus install-time exfiltration of host metadata is the typosquat-with-payload pattern.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T20:34:25Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "29060c34630f9510a380d9a36111d525f2b33db41ee4d079e7d63b3e7c697c76",
            "id": "IN-MAL-2026-005226",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:56.74541785Z"
        },
        {
            "modified_time": "2026-06-09T20:34:25Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "474223e0d5456564c1ae112031e3b8f276850a79f59cc93ed3a04805de291f20",
            "id": "IN-MAL-2026-005225",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:56.617560075Z"
        }
    ]
}
References
Credits

Affected packages

npm / mcp-server-figma

Package

Name
mcp-server-figma
View open source insights on deps.dev
Purl
pkg:npm/mcp-server-figma

Affected ranges

Affected versions

0.*
0.0.1

Database specific

indicators 
{
    "domains": [
        "npx-canary-log.vulnerable-live.workers.dev"
    ],
    "evidence_files": [
        {
            "sha256": "45bb30a72275b5e74aeef9851dbc24c2e8a8b033892a419887830aae6e06f1a9",
            "tlsh": "f53195e180f805351bee46d3e1e9a899a36ff126360678f0b45e02291fc94980771cd2",
            "path": "index.js"
        },
        {
            "sha256": "ed21d2fa56cea871dcb3a304def779eb45be0bb6d0921a08bcc47cda0039403f",
            "tlsh": "55f09e60d87595331eed47e14476b488f679a9161240bc2913d3501cd64d5bb03bf25c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "mcp-server-figma-0.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-kvLuLAKi5DFFqvNK7neLaPitYg6tkrPoTUBfBy54tbGtRWN0b7+hFAqa25YIU23ZIPS+gpN5WeZxTR7r7GWkTw==",
                "sha1": "dabf80b113452ea890aaeb48008e894b4a93010a"
            }
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mcp-server-figma/MAL-2026-5477.json"