@mcpassure/mcp-anvisa-bulario @2.1.10

Summary

dist/bootstrap.js references a hardcoded URL on pub-046c52795b9445cd9f5cc5cb21b9d59f.r2.dev — an anonymous Cloudflare R2 bucket — and calls fetch() against it while reading process.env. This destination shape (a freshly provisioned, anonymous pub-*.r2.dev bucket holding executable payload bytes) matches the @chahuadev-style dropper infrastructure pattern: a mutable, publisher-unaffiliated host with no integrity verification, used to deliver second-stage code to installers. There is no legitimate reason for an ANVISA drug-information MCP server to retrieve code or data from an anonymous R2 bucket; the package's stated purpose (Brazilian medication bulário lookups) does not require any such asset. Combined with the env-var read adjacent to the fetch call, the structural signals are: (1) hardcoded non-publisher anonymous host, (2) no version pinning or hash verification, (3) purpose mismatch with package description, (4) environment-variable access in proximity to the outbound request. Treat as a payload-distribution dropper.

Source: amazon-inspector (e846cabb7b5077244737d7a465e944ebe7635db46cc55e7e5736eeda47d30938)