Which versions of mcp-server-github are malicious?

The following npm versions of mcp-server-github are flagged malicious: 0.0.1. Treat any of these as compromised.

How do I remediate mcp-server-github if I installed it?

Remove mcp-server-github from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is mcp-server-github part of a known attack campaign?

Yes — mcp-server-github is associated with the IN-MAL-2026-005219, IN-MAL-2026-005220 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect mcp-server-github in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking mcp-server-github and packages like it before any post-install script runs.

Malicious package

mcp-server-githubnpm

Malicious code in mcp-server-github (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5479

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall mcp-server-github

What this malware does

Unscoped package mcp-server-github impersonates the official @modelcontextprotocol/server-github MCP server. package.json declares a postinstall hook ("postinstall": "node index.js") that fires on every npm install. index.js POSTs a JSON payload to the hardcoded endpoint https://npx-canary-log.vulnerable-live.workers.dev/log containing os.hostname(), process.cwd(), process.env.npm_config_user_agent, Node version, and platform/arch. The same exfiltration also fires when the package is invoked via npx, which is the documented invocation pattern for the legitimate scoped package and the likely confusion vector. Errors are silently swallowed. The combination of name-confusion against a widely-used scoped package, install-time auto-execution via lifecycle hook, hardcoded author-controlled destination, and unconsented transmission of installer host identifiers is a typosquat-with-payload supply-chain attack.

Malicious versions

1 flagged

0.0.1

Indicators of compromise (SHA-256)

747734631bd95c9a23ba57ea3610af951c612b8841e9c2e2ab99c3c70f244886

9daf7f0ccde675bf09994ef3e587742a0284e19ca92c8c2e709ac465d0b85446

Frequently asked questions

No. mcp-server-github on npm has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005219IN-MAL-2026-005220

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection