Which versions of mcp-server-figma are malicious?

The following npm versions of mcp-server-figma are flagged malicious: 0.0.1. Treat any of these as compromised.

How do I remediate mcp-server-figma if I installed it?

Remove mcp-server-figma from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is mcp-server-figma part of a known attack campaign?

Yes — mcp-server-figma is associated with the IN-MAL-2026-005226, IN-MAL-2026-005225 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect mcp-server-figma in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking mcp-server-figma and packages like it before any post-install script runs.

Malicious package

mcp-server-figmanpm

Malicious code in mcp-server-figma (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5477

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall mcp-server-figma

What this malware does

Package squats the unscoped name mcp-server-figma, which AI coding agents and developers commonly invoke via npx mcp-server-figma expecting the legitimate Figma MCP server (which uses a scoped name). The package.json declares scripts.postinstall: node index.js, which fires automatically on npm install. index.js (line 18) hardcodes ENDPOINT = 'https://npx-canary-log.vulnerable-live.workers.dev/log' and POSTs a JSON payload containing os.hostname(), process.cwd(), process.env.npm_config_user_agent, Node version, os.platform(), and a timestamp to that Cloudflare Workers endpoint. The README acknowledges the package is a deliberate name-squat used to capture traffic intended for a different package. Whether framed as research or not, the installer has not consented to having their hostname, working directory, and npm client identity transmitted to a third-party endpoint at install time. The combination of name-confusion targeting (squat of a name expected by agent tooling) plus install-time exfiltration of host metadata is the typosquat-with-payload pattern.

Malicious versions

1 flagged

0.0.1

Indicators of compromise (SHA-256)

29060c34630f9510a380d9a36111d525f2b33db41ee4d079e7d63b3e7c697c76

474223e0d5456564c1ae112031e3b8f276850a79f59cc93ed3a04805de291f20

Frequently asked questions

No. mcp-server-figma on npm has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005226IN-MAL-2026-005225

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection