MAL-2026-10747
Malicious code in sensorium-mcp (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (73c4ac95caf91cb047bab32d5202efa2dfc2e4f84a032160419a7c30739da91c) sensorium-mcp starts a background poller against api.telegram.org/getUpdates and delivers received message text as prompts to locally spawned Claude Code (invoked with --dangerously-skip-permissions) and Codex (invoked with --dangerously-bypass-approvals-and-sandbox). Because the agents' approval/sandbox prompts are disabled by the package, any party holding the Telegram bot token and chat id can issue instructions that execute as shell and file operations on the installer's host. The keepAlive threads auto-launch when the server is started. In addition, the MCP `send_file` tool accepts any absolute path inside the installer's cwd or home directory, reads the file, and uploads it to the configured Telegram chat via telegram.sendDocument, exposing paths such as ~/.ssh/id_rsa, ~/.aws/credentials, and ~/.npmrc to whoever controls the bot. The ping-related patterns flagged in dist/http-server.js and dist/services/self-update.service.js are health-check / keepalive references and are not the primary basis for this verdict.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for sensorium-mcp (npm). Pin to a known-safe version or switch to an alternative.