OSV Malicious Advisory
scanned 14h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10747 confirms this npm version as malicious. sensorium-mcp starts a background poller against api.telegram.org/getUpdates and delivers received message text as prompts to locally spawned Claude Code (invoked with --dangerously-skip-permissions) and Codex (invoked with --dangerously-bypass-approvals-and-sandbox)...
Advisory
MAL-2026-10747
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in sensorium-mcp (npm)
Details
sensorium-mcp starts a background poller against api.telegram.org/getUpdates and delivers received message text as prompts to locally spawned Claude Code (invoked with --dangerously-skip-permissions) and Codex (invoked with --dangerously-bypass-approvals-and-sandbox). Because the agents' approval/sandbox prompts are disabled by the package, any party holding the Telegram bot token and chat id can issue instructions that execute as shell and file operations on the installer's host. The keepAlive threads auto-launch when the server is started. In addition, the MCP `send_file` tool accepts any absolute path inside the installer's cwd or home directory, reads the file, and uploads it to the configured Telegram chat via telegram.sendDocument, exposing paths such as ~/.ssh/id_rsa, ~/.aws/credentials, and ~/.npmrc to whoever controls the bot. The ping-related patterns flagged in dist/http-server.js and dist/services/self-update.service.js are health-check / keepalive references and are not the primary basis for this verdict.
Decision reason
OpenSSF Malicious Packages via OSV confirms sensorium-mcp@3.0.95 as malicious (MAL-2026-10747): Malicious code in sensorium-mcp (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory