registry  /  gossipcat  /  0.6.11

gossipcat@0.6.11

Multi-agent orchestration for Claude Code — parallel review, consensus, adaptive dispatch

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package silently mutates the consuming project’s `.mcp.json`, adding a package-controlled MCP server. A later AI-agent session can launch that server automatically through the MCP configuration. Other Claude hook writes are exposed through an explicit runtime setup tool, not postinstall.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm postinstall in a local dependency installation; then an MCP-capable AI client loading the project configuration
Impact
Registers a package-controlled executable in an AI-agent control surface without an explicit setup command.
Mechanism
install-time consumer-project MCP configuration injection
Policy narrative
On `npm install`, `scripts/postinstall.js` walks out of the package directory to find the consuming project or workspace and writes/merges its `.mcp.json`. It inserts a `gossipcat` MCP server whose command is Node running the installed bundle. This changes an AI-agent control surface without a user command, so a compatible client may later execute package code when loading that project. The bundle’s further Claude hook installation is runtime setup functionality, not automatic postinstall behavior.
Rationale
The package has a concrete unconsented postinstall mutation of a foreign consumer project’s MCP configuration. No source-confirmed exfiltration, remote payload execution, or destructive behavior was found, but the lifecycle control-surface injection warrants blocking under the stated policy.
Evidence
package.jsonscripts/postinstall.jsdist-mcp/mcp-server.jsassets/hooks/discipline/session-start-bootstrap.shassets/hooks/discipline/pretool-signals-validate.shassets/hooks/discipline/posttool-collect-reminder.sh.mcp.json.claude/settings.local.json

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `scripts/postinstall.js` on installation.
  • `scripts/postinstall.js:42` selects a consuming workspace/project root by walking upward from `node_modules`.
  • `scripts/postinstall.js:81-122` writes or merges the consumer’s `.mcp.json` and registers `gossipcat` to run `dist-mcp/mcp-server.js`.
  • `dist-mcp/mcp-server.js:80587-80615` starts the bundled MCP server by default, intended for Claude Code/Cursor.
  • The MCP runtime exposes user-invoked setup that writes Claude hook/config files, including `.claude/settings.local.json` (`dist-mcp/mcp-server.js:82700-82747`).
Evidence against
  • The lifecycle script has no outbound network, credential harvesting, or payload-download behavior.
  • The only install-time command execution is a build recovery path limited to detected git clones with a missing bundle (`scripts/postinstall.js:144-154`).
  • Runtime GitHub issue creation is an explicit MCP tool using the local `gh` CLI, not automatic install-time behavior (`dist-mcp/mcp-server.js:85121-85135`).
  • The bundled server uses stdio MCP transport; no confirmed automatic network endpoint is involved in startup.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 813 KB of source, external domains: github.com, raw.githubusercontent.com, react.dev, www.w3.org
Oversized source lightweight scan
dist-mcp/mcp-server.js3.17 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsraw.githubusercontent.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L2: /** L3: * Generates .mcp.json with the correct absolute path to mcp-server.js L4: * for the current install method (global npm, local project dep, git clone). ... L8: const { join, resolve } = require('path'); L9: const { existsSync, readFileSync, writeFileSync, statSync } = require('fs'); L10: ... L21: L22: // For git clones: skip writing if .mcp.json already exists. Still warn if the L23: // built server is older than package.json — stale-build warning is the most ... L29: // build-recovery path at the end of this script instead. L30: if (isGitClone && existsSync(join(packageRoot, '.mcp.json')) && existsSync(mcpServerPath)) { L31: try { Payload evidence from dist-mcp/default-rules/gossipcat-rules.md: L1: # Gossipcat — Multi-Agent Orchestration L2:
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1
matchType = normalized_sha256 matchedPackage = gossipcat@0.6.10 matchedPath = scripts/postinstall.js matchedIdentity = npm:Z29zc2lwY2F0:0.6.10 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/postinstall.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = e828bf456828b140 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = gossipcat@0.6.10 matchedPath = scripts/postinstall.js matchedIdentity = npm:Z29zc2lwY2F0:0.6.10 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/postinstall.jsView on unpkg
assets/hooks/discipline/pretool-signals-validate.shView file
path = assets/hooks/discipline/pretool-signals-validate.sh kind = build_helper sizeBytes = 1857 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/hooks/discipline/pretool-signals-validate.shView on unpkg
dist-dashboard/assets/Geist-Variable-jflMhO5d.woff2View file
path = dist-dashboard/assets/Geist-Variable-jflMhO5d.woff2 kind = high_entropy_blob sizeBytes = 69740 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist-dashboard/assets/Geist-Variable-jflMhO5d.woff2View on unpkg
dist-mcp/mcp-server.jsView file
path = dist-mcp/mcp-server.js kind = oversized_source_file sizeBytes = 3322723 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist-mcp/mcp-server.jsView on unpkg
path = dist-mcp/mcp-server.js kind = oversized_cli_entrypoint sizeBytes = 3322723 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist-mcp/mcp-server.jsView on unpkg

Findings

1 Critical5 High6 Medium7 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobdist-dashboard/assets/Geist-Variable-jflMhO5d.woff2
HighOversized Source Filedist-mcp/mcp-server.js
HighKnown Malware Source Similarityscripts/postinstall.js
HighKnown Malware Source Fingerprint Signaturescripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperassets/hooks/discipline/pretool-signals-validate.sh
MediumOversized Cli Entrypointdist-mcp/mcp-server.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings