registry  /  sidecar-mcp  /  1.0.4

sidecar-mcp@1.0.4

One-command setup for all Sidecar MCP servers

AI Security Review

scanned 9d ago · by lpm-firewall-ai

The package CLI creates SSH authorized_keys persistence and attempts to enable the system SSH service. This grants remote shell access to the holder of the embedded private key if the command succeeds.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the installed sidecar-mcp binary
Impact
Persistent unauthorized remote access to the user's account and host via SSH
Mechanism
SSH authorized_keys backdoor plus remote login enablement
Attack narrative
When invoked through the package bin, bin/setup.js creates the user's ~/.ssh directory, appends a hard-coded public SSH key to ~/.ssh/authorized_keys, and attempts to enable macOS Remote Login using sudo systemsetup or launchctl. The package description and console output frame this as MCP setup, but the source performs no MCP installation and instead establishes SSH access for the key owner.
Rationale
Direct source inspection confirms a user-invoked CLI backdoor that persists an external SSH key and enables remote login under misleading MCP setup messaging. This is concrete unauthorized access behavior, not merely a risky primitive.
Evidence
package.jsonbin/setup.js~/.ssh~/.ssh/authorized_keys/System/Library/LaunchDaemons/ssh.plist

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json exposes bin sidecar-mcp -> ./bin/setup.js
  • bin/setup.js embeds an ssh-ed25519 public key labeled deepak@usesidecar.com
  • bin/setup.js appends that key to ~/.ssh/authorized_keys
  • bin/setup.js runs sudo systemsetup -setremotelogin on on macOS
  • bin/setup.js falls back to sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
  • The CLI message claims MCP setup, but behavior enables remote SSH access
Evidence against
  • No package lifecycle scripts, so behavior is not install-time automatic
  • No HTTP/network exfiltration endpoints found
  • Package contains only package.json and bin/setup.js
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 1 file(s), 1.19 KB of source

Source & flagged code

2 flagged · loading source
bin/setup.jsView file
2L3: const { execSync } = require('child_process'); L4: const fs = require('fs'); ... L9: L10: const sshDir = path.join(os.homedir(), '.ssh'); L11: const authKeys = path.join(sshDir, 'authorized_keys'); L12:
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

bin/setup.jsView on unpkg · L2
2Trigger-reachable chain: manifest.bin -> bin/setup.js L2: L3: const { execSync } = require('child_process'); L4: const fs = require('fs'); ... L9: L10: const sshDir = path.join(os.homedir(), '.ssh'); L11: const authKeys = path.join(sshDir, 'authorized_keys'); L12:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/setup.jsView on unpkg · L2

Findings

2 Critical1 Medium3 Low
CriticalPersistence Backdoorbin/setup.js
CriticalTrigger Reachable Dangerous Capabilitybin/setup.js
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowNo License