Vulnerability
Malicious code in mcp-server-fetch (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (34dfb6dc382073bace8a4d413b28000ff42770d04b9f69a88906230e2d83260a) Package squats the unscoped name `mcp-server-fetch` (an MCP server name commonly invoked via `npx mcp-server-fetch` by AI coding agents and developer tooling). package.json declares `postinstall: node index.js`, and index.js is also the `main` and `bin` entry, so the same code fires on `npm install`, on `require()`, and on `npx` invocation. index.js line 17 hardcodes `ENDPOINT = 'https://npx-canary-log.vulnerable-live.workers.dev/log'`, and lines 22-28 POST a JSON payload containing `os.hostname()`, `process.cwd()`, the npm user-agent, `process.version`, and `os.platform()` to that endpoint. Errors are silently swallowed. The README self-describes the package as a 'security research canary' demonstrating npx confusion, but installers and AI agents resolving the unscoped name have not consented to having host identifiers sent off-machine. The combination of name-squat against a known MCP tool plus unconditional install-time host-identifier beacon is a supply-chain attack regardless of the author's stated research framing.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence