mcp-server-figma @0.0.2

Summary

Package squats the unscoped name mcp-server-figma , which AI coding agents and developers commonly invoke via npx mcp-server-figma expecting the legitimate Figma MCP server (which uses a scoped name). The package.json declares scripts.postinstall: node index.js , which fires automatically on npm install . index.js (line 18) hardcodes ENDPOINT = 'https://npx-canary-log.vulnerable-live.workers.dev/log' and POSTs a JSON payload containing os.hostname() , process.cwd() , process.env.npm_config_user_agent , Node version, os.platform() , and a timestamp to that Cloudflare Workers endpoint. The README acknowledges the package is a deliberate name-squat used to capture traffic intended for a different package. Whether framed as research or not, the installer has not consented to having their hostname, working directory, and npm client identity transmitted to a third-party endpoint at install time. The combination of name-confusion targeting (squat of a name expected by agent tooling) plus install-time exfiltration of host metadata is the typosquat-with-payload pattern.

Source: amazon-inspector (474223e0d5456564c1ae112031e3b8f276850a79f59cc93ed3a04805de291f20)