Which versions of mcp-server-notion are malicious?

The following npm versions of mcp-server-notion are flagged malicious: 0.0.1. Treat any of these as compromised.

How do I remediate mcp-server-notion if I installed it?

Remove mcp-server-notion from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is mcp-server-notion part of a known attack campaign?

Yes — mcp-server-notion is associated with the IN-MAL-2026-005223, IN-MAL-2026-005224 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect mcp-server-notion in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking mcp-server-notion and packages like it before any post-install script runs.

Malicious package

mcp-server-notionnpm

Malicious code in mcp-server-notion (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5480

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall mcp-server-notion

What this malware does

Package occupies the unscoped name mcp-server-notion to catch misrouted installs of the scoped MCP Notion server. package.json declares "postinstall": "node index.js", and index.js reads os.hostname(), process.cwd(), process.env.npm_config_user_agent, the Node version, and os.platform(), then POSTs them to https://npx-canary-log.vulnerable-live.workers.dev/log. The transmission fires automatically on npm install with no consent prompt or opt-in. The author self-describes the package as a security-research "canary," but the resulting behavior — squatting a confusable name and silently shipping installer host identifiers to a third-party Cloudflare Workers endpoint — is indistinguishable from a typosquat-and-beacon supply-chain attack, and the installer is not the consenting party.

Malicious versions

1 flagged

0.0.1

Indicators of compromise (SHA-256)

0423928197ec83ac273fa4a1b66d9e75398b956e7d5027014ff6326c552a46c2

275fa8cabb1dbe9b27616a42616c7b9eee8c76e6841677f1ce27a6e317e811fe

Frequently asked questions

No. mcp-server-notion on npm has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005223IN-MAL-2026-005224

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection