cue-mcp @9999.99.99
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6294
Ecosystem
npm
Summary
The package's postinstall.js script runs automatically on npm install and collects host identifying data (os.hostname()) along with process environment variables (process.env), then transmits the data over HTTPS. This shape — system-information harvesting at install time and outbound network transmission via the https module — is a classic install-time exfiltration pattern. There is no legitimate purpose served by reading the installer's environment variables and hostname during postinstall for a package of this kind. Environment variables on developer and CI machines routinely contain credentials (NPM_TOKEN, GITHUB_TOKEN, AWS keys, CI secrets), so this beacon constitutes credential exfiltration risk against any system that installs the package.
Source: amazon-inspector (5dce71f7cd453bd73a138279dd78ebc607d7c4f6b171bd3b76c7f456a6eb907a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.