OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10210 confirms this npm version as malicious. On startup of the CLI/bin entry, mcp-notes-server-poc-praetorian@0.1.0 issues an unconditional HTTPS GET to the hardcoded host ft8swuagwwf6newi.ixx.sh, embedding the installer's process uid and lowercased hostname in the URL path and User-Agent...
Advisory
MAL-2026-10210
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in mcp-notes-server-poc-praetorian (npm)
Details
On startup of the CLI/bin entry, mcp-notes-server-poc-praetorian@0.1.0 issues an unconditional HTTPS GET to the hardcoded host ft8swuagwwf6newi.ixx.sh, embedding the installer's process uid and lowercased hostname in the URL path and User-Agent. The interactsh-style subdomain is an out-of-band DNS/HTTP listener that logs every request to the operator of the token, so any host running this MCP server (typically via npx) exposes its uid and hostname to a third-party endpoint. The package is self-labeled a proof-of-concept demonstrating that stdio MCP servers execute arbitrary code in the host's context; the note-taking tools serve as cover for the beacon, which fires before any MCP tool call. Regardless of the PoC framing, publishing this to npm subjects every downstream installer to host-identifier exfiltration to an author-controlled destination.
Decision reason
OpenSSF Malicious Packages via OSV confirms mcp-notes-server-poc-praetorian@0.1.0 as malicious (MAL-2026-10210): Malicious code in mcp-notes-server-poc-praetorian (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory