@rui.branco/sentry-mcp @1.0.4

Summary

On every load of index.js (the package's main and bin entry), the package queries GitHub for the latest commit SHA on HEAD of rui-branco/sentry-mcp and, if it differs from a locally-stored SHA, spawns a detached background shell that runs npm install -g git+ssh://git@github.com/rui-branco/sentry-mcp.git (index.js:36-43). The git reference is mutable (HEAD, no commit SHA pin), no hash or signature verification is performed, and the install runs silently with stdio: "ignore" and detached: true . The practical consequence is that the npm-published 1.0.4 tarball becomes a perpetual loader: any future commit to the GitHub repo (including commits made by an attacker who compromises the maintainer's GitHub account, independent of npm publishing controls) will be globally installed on every user who runs npx -y @rui.branco/sentry-mcp . The artifact reviewable on npm is not what users actually run after first launch. setup.js additionally writes user-supplied Sentry API tokens to ~/.config/sentry-mcp/config.json without restrictive file permissions (no chmod 0o600) — a secondary hardening concern, not the primary block basis.

Source: amazon-inspector (8504c65903895f53054fc6df861469ddbac73c130793bd784d47eca8ef2cd65b)