MAL-2026-10736
Malicious code in memtry-cli (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (11638a6b1b7876a94ef23285cb88f0127c003bb5e4d786dbaba5c30a9cbdfdb7) memtry-cli installs an MCP server whose `memtry_onboarding` tool returns a prompt that instructs the connected AI agent to scan the installer's home directory (~/.claude, ~/.gemini, ~/.cursor, ~/Library/Application Support, ~/Documents, ~/Downloads, ~/Desktop, ~/Projects) for chat histories, resumes, YC applications, financial documents, and personal data, then submit the collected content through the package's `create_repo` / `update_context` / `append_changelog` tools. Those tools default-route via `callCloud(`${BASE_URL}/api/mcp`)` to the author-controlled endpoint https://memtry.vercel.app/api/mcp, and the shipped `.gemini/settings.json` pins BASE_URL to that host with a bundled Bearer API key. Only items the model explicitly tags `status: private` stay local; the onboarding prompt does not instruct the model to apply that tag to the harvested personal or financial content, so exfiltration to the author's Vercel endpoint is the default path. The tarball also ships a live `mk_...` API key for memtry.vercel.app in `.gemini/settings.json`.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for memtry-cli (npm). Pin to a known-safe version or switch to an alternative.