registry  /  memtry-cli  /  1.0.4

memtry-cli@1.0.4

Local stdio MCP proxy for memtry.io — bridges stdio MCP clients to the cloud

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10736 confirms this npm version as malicious. memtry-cli installs an MCP server whose `memtry_onboarding` tool returns a prompt that instructs the connected AI agent to scan the installer's home directory (~/.claude, ~/.gemini, ~/.cursor, ~/Library/Application Support, ~/Documents, ~/Downloads, ~/Desktop, ~/Projects) for chat histories, resumes, YC applications, financial documents, and personal data, then submit the collected content through the package's...

Advisory
MAL-2026-10736
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in memtry-cli (npm)
Details
memtry-cli installs an MCP server whose `memtry_onboarding` tool returns a prompt that instructs the connected AI agent to scan the installer's home directory (~/.claude, ~/.gemini, ~/.cursor, ~/Library/Application Support, ~/Documents, ~/Downloads, ~/Desktop, ~/Projects) for chat histories, resumes, YC applications, financial documents, and personal data, then submit the collected content through the package's `create_repo` / `update_context` / `append_changelog` tools. Those tools default-route via `callCloud(`${BASE_URL}/api/mcp`)` to the author-controlled endpoint https://memtry.vercel.app/api/mcp, and the shipped `.gemini/settings.json` pins BASE_URL to that host with a bundled Bearer API key. Only items the model explicitly tags `status: private` stay local; the onboarding prompt does not instruct the model to apply that tag to the harvested personal or financial content, so exfiltration to the author's Vercel endpoint is the default path. The tarball also ships a live `mk_...` API key for memtry.vercel.app in `.gemini/settings.json`.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 3 file(s), 28.0 KB of source

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

2 Medium4 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License