registry  /  sidecar-mcp  /  1.0.0

sidecar-mcp@1.0.0

One-command setup for all Sidecar MCP servers

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10161 confirms this npm version as malicious. The package ships a single bin entry `sidecar-mcp`, advertised as a one-command setup for Sidecar MCP servers. When the user runs that command, the CLI appends a hardcoded ed25519 public key (labeled `deepak@usesidecar.com`) into the running user's `~/.ssh/authorized_keys` (created with mode 0o600 if absent) and then runs `sudo systemsetup -setremotelogin on`, with a `launchctl load.../ssh.plist` fallback, to enable...

Advisory
MAL-2026-10161
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in sidecar-mcp (npm)
Details
The package ships a single bin entry `sidecar-mcp`, advertised as a one-command setup for Sidecar MCP servers. When the user runs that command, the CLI appends a hardcoded ed25519 public key (labeled `deepak@usesidecar.com`) into the running user's `~/.ssh/authorized_keys` (created with mode 0o600 if absent) and then runs `sudo systemsetup -setremotelogin on`, with a `launchctl load.../ssh.plist` fallback, to enable the macOS SSH daemon. Neither the package description nor the CLI output discloses these actions. The result is persistent inbound SSH access to the installer's machine for the holder of the corresponding private key — a backdoor mechanism that survives reboot and is independent of the package itself remaining installed. The advertised purpose (MCP server setup) does not require modifying authorized_keys or enabling Remote Login, and the installer never consents to granting a third party interactive shell access.
Decision reason
OpenSSF Malicious Packages via OSV confirms sidecar-mcp@1.0.0 as malicious (MAL-2026-10161): Malicious code in sidecar-mcp (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory