registry  /  gossipcat  /  0.6.10

gossipcat@0.6.10

Multi-agent orchestration for Claude Code — parallel review, consensus, adaptive dispatch

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The npm `postinstall` mutates a consuming project's broad MCP control configuration. It registers and enables the package's bundled executable as an MCP server without an explicit setup action.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of gossipcat@0.6.10
Impact
Unconsented activation of package-controlled code in an AI-agent/MCP control surface.
Mechanism
postinstall walks to the consumer root and writes/merges `.mcp.json` with a `gossipcat` server entry
Policy narrative
On installation, `scripts/postinstall.js` searches upward from the package directory for a workspace or project root, then creates or merges that project's `.mcp.json`. It injects a `gossipcat` MCP server configured to run the bundled `dist-mcp/mcp-server.js`. This is an unconsented install-time mutation of a foreign, broadly consumed AI-agent control file.
Rationale
Direct inspection confirms a concrete npm postinstall chain that modifies consumer-project MCP configuration and activates package code. Under the install-control-surface policy, this warrants blocking even without observed exfiltration.
Evidence
package.jsonscripts/postinstall.jsdist-mcp/mcp-server.js.mcp.json

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node scripts/postinstall.js` automatically on install.
  • `scripts/postinstall.js` walks above `node_modules` to find the consumer workspace/project root.
  • The postinstall script creates or merges the consumer project's `.mcp.json`.
  • It inserts `mcpServers.gossipcat` that executes `node <package>/dist-mcp/mcp-server.js`.
  • This enables the package as an MCP server without an explicit user setup command.
Evidence against
  • The script preserves existing top-level fields and MCP server entries.
  • No install-time network request or credential collection was found in `scripts/postinstall.js`.
  • Bundled provider endpoints in `dist-mcp/mcp-server.js` support declared AI-provider functionality, not the install-time mutation.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 813 KB of source, external domains: github.com, raw.githubusercontent.com, react.dev, www.w3.org
Oversized source lightweight scan
dist-mcp/mcp-server.js3.17 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsraw.githubusercontent.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L2: /** L3: * Generates .mcp.json with the correct absolute path to mcp-server.js L4: * for the current install method (global npm, local project dep, git clone). ... L8: const { join, resolve } = require('path'); L9: const { existsSync, readFileSync, writeFileSync, statSync } = require('fs'); L10: ... L21: L22: // For git clones: skip writing if .mcp.json already exists. Still warn if the L23: // built server is older than package.json — stale-build warning is the most ... L29: // build-recovery path at the end of this script instead. L30: if (isGitClone && existsSync(join(packageRoot, '.mcp.json')) && existsSync(mcpServerPath)) { L31: try { Payload evidence from dist-mcp/default-rules/gossipcat-rules.md: L1: # Gossipcat — Multi-Agent Orchestration L2:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1
assets/hooks/discipline/pretool-signals-validate.shView file
path = assets/hooks/discipline/pretool-signals-validate.sh kind = build_helper sizeBytes = 1857 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/hooks/discipline/pretool-signals-validate.shView on unpkg
dist-dashboard/assets/Geist-Variable-jflMhO5d.woff2View file
path = dist-dashboard/assets/Geist-Variable-jflMhO5d.woff2 kind = high_entropy_blob sizeBytes = 69740 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist-dashboard/assets/Geist-Variable-jflMhO5d.woff2View on unpkg
dist-mcp/mcp-server.jsView file
path = dist-mcp/mcp-server.js kind = oversized_source_file sizeBytes = 3322076 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist-mcp/mcp-server.jsView on unpkg
path = dist-mcp/mcp-server.js kind = oversized_cli_entrypoint sizeBytes = 3322076 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist-mcp/mcp-server.jsView on unpkg

Findings

1 Critical3 High6 Medium7 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobdist-dashboard/assets/Geist-Variable-jflMhO5d.woff2
HighOversized Source Filedist-mcp/mcp-server.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperassets/hooks/discipline/pretool-signals-validate.sh
MediumOversized Cli Entrypointdist-mcp/mcp-server.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings