sp-api-dev-assistant-mcp-server @99.9.0
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-5853
Ecosystem
npm
Summary
Package contains only package.json and README.md, with the README explicitly stating it is a proof-of-concept squatting an unclaimed npm name that was referenced as a dependency in an Amazon-internal repository. The version is set to 99.9.0 to win semver resolution against any internal release. The current tarball ships no scripts , no main , and no source files, so installing this version performs no code execution and exfiltrates no data — the harm is limited to the name being held by a non-Amazon party who could publish payload-bearing future versions. Installers whose package manager resolves the public npm registry for this name would receive whatever the squatter publishes next.
Source: amazon-inspector (18b5b59005300a7a8612a3bf36d3707df573ac722e94e52a3854844345d63745)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.