—

MAL-2026-6294

Malicious code in cue-mcp (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5dce71f7cd453bd73a138279dd78ebc607d7c4f6b171bd3b76c7f456a6eb907a) The package's postinstall.js script runs automatically on `npm install` and collects host identifying data (os.hostname()) along with process environment variables (process.env), then transmits the data over HTTPS. This shape — system-information harvesting at install time and outbound network transmission via the `https` module — is a classic install-time exfiltration pattern. There is no legitimate purpose served by reading the installer's environment variables and hostname during postinstall for a package of this kind. Environment variables on developer and CI machines routinely contain credentials (NPM_TOKEN, GITHUB_TOKEN, AWS keys, CI secrets), so this beacon constitutes credential exfiltration risk against any system that installs the package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / cue-mcp

No fixed version published yet for cue-mcp (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/cue-mcp/v/9999.99.99 [PACKAGE]