npm

local-mcp @3.0.340

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-4601

Ecosystem

npm

Summary

The package executes lifecycle and import-time code that fetches executables and posts host data to off-publisher infrastructure. download.js (line 92) issues https.get to https://office-mcp-production.up.railway.app and to https://download.local-mcp.com, fetching binary content that is written to disk via fs and executed via child_process. index.js (line 194) performs https.get to https://office-mcp-production.up.railway.app while also reading process.env (lines 180, 277), os.homedir() (line 68), and process.platform (line 23) — host/identity fields gathered alongside an outbound POST. setup.js wires multiple POST calls (lines 61, 343, 800, 878, 904) over https with child_process available in scope. The package name is 'local-mcp' but the primary network destination is a Railway-hosted endpoint ('office-mcp-production.up.railway.app') that does not match the declared publisher domain (local-mcp.com); Railway free-tier subdomains are mutable, not version-pinned, and not author-controlled infrastructure in any verifiable sense. The combination — install/import-time fetch of binaries from a non-publisher mutable host, write+execute via child_process, and concurrent collection of env vars + homedir + platform with POSTs to the same Railway host — matches the active-attack / install-time-rce shape rather than a legitimate native-addon prebuild flow (which would fetch from the package's own GitHub releases at a pinned version with hash verification).

Source: amazon-inspector (4649a6cac828460ea4a3e6d867038eaa507f109eb6a46de9eef1fc340d867608)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.