registry  /  sp-api-dev-assistant-mcp-server  /  99.9.0

sp-api-dev-assistant-mcp-server@99.9.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5853 confirms this npm version as malicious. Package contains only package.json and README.md, with the README explicitly stating it is a proof-of-concept squatting an unclaimed npm name that was referenced as a dependency in an Amazon-internal repository. The version is set to 99.9.0 to win semver resolution against any internal release...

Advisory
MAL-2026-5853
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in sp-api-dev-assistant-mcp-server (npm)
Details
Package contains only package.json and README.md, with the README explicitly stating it is a proof-of-concept squatting an unclaimed npm name that was referenced as a dependency in an Amazon-internal repository. The version is set to 99.9.0 to win semver resolution against any internal release. The current tarball ships no `scripts`, no `main`, and no source files, so installing this version performs no code execution and exfiltrates no data — the harm is limited to the name being held by a non-Amazon party who could publish payload-bearing future versions. Installers whose package manager resolves the public npm registry for this name would receive whatever the squatter publishes next. ## Source: ghsa-malware (41506fcb0f329d1b260c8aea68fe27eb7b648576521da211f366dc49459bc388) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms sp-api-dev-assistant-mcp-server@99.9.0 as malicious (MAL-2026-5853): Malicious code in sp-api-dev-assistant-mcp-server (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory