{"_id":"mcp-server-fetch","_rev":"2-5f9459050c672eb3eb1496652839255d","name":"mcp-server-fetch","dist-tags":{"latest":"0.0.2"},"versions":{"0.0.1":{"name":"mcp-server-fetch","version":"0.0.1","keywords":["security-research","canary","npx-confusion","bug-bounty"],"license":"MIT","_id":"mcp-server-fetch@0.0.1","maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"homepage":"https://github.com/theinfosecguy/npx-canary#readme","bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"bin":{"mcp-server-fetch":"index.js"},"dist":{"shasum":"f90d1186f9d9c5263ef6ea6e8855889ae7660fb4","tarball":"https://registry.npmjs.org/mcp-server-fetch/-/mcp-server-fetch-0.0.1.tgz","fileCount":3,"integrity":"sha512-1DF4gz5VRm7Kgu22fvL09gW5XmcDmj7vqnvLSKeWJX6A0BMnlRBEOQ/wcXDZIXWUrc54hTN6frfCOMHY6SpNWA==","signatures":[{"sig":"MEUCIEjuQHVjbYJSc5H2wKjaRf/m24JPVj+fCZBvp26sYjXZAiEA68vxl7RwkGpF9BMBVB0y/6FlVX8xxYAXWq+/DMRV7Xg=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"unpackedSize":3277},"main":"index.js","gitHead":"a3f48e2f41d1e89e848cd08ecec7032325af0bb3","scripts":{"postinstall":"node index.js"},"_npmUser":{"name":"node-canaries","email":"reacher.dev@proton.me"},"repository":{"url":"git+https://github.com/theinfosecguy/npx-canary.git","type":"git"},"_npmVersion":"11.6.2","description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","directories":{},"_nodeVersion":"25.2.1","_hasShrinkwrap":false,"_npmOperationalInternal":{"tmp":"tmp/mcp-server-fetch_0.0.1_1780069654569_0.5363483194370251","host":"s3://npm-registry-packages-npm-production"}},"0.0.2":{"name":"mcp-server-fetch","version":"0.0.2","description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","main":"index.js","bin":{"mcp-server-fetch":"index.js"},"scripts":{"postinstall":"node index.js"},"repository":{"type":"git","url":"git+https://github.com/theinfosecguy/npx-canary.git"},"license":"MIT","keywords":["security-research","canary","npx-confusion","bug-bounty"],"gitHead":"aa3bb402fbd4cbb5ca0be66cf675106eb797ef2c","_id":"mcp-server-fetch@0.0.2","bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"homepage":"https://github.com/theinfosecguy/npx-canary#readme","_nodeVersion":"25.2.1","_npmVersion":"11.6.2","dist":{"integrity":"sha512-sBp0y74dRMkbU7xsxhPrJOQw6Kuu4NSvzj1QCgYgCbcLfdK34RGIqqzlUJHM6SSKWlLO4naJNCS4K1qcYVgduw==","shasum":"77335b77f24faae4c038fdbc6e006527633147c4","tarball":"https://registry.npmjs.org/mcp-server-fetch/-/mcp-server-fetch-0.0.2.tgz","fileCount":3,"unpackedSize":3282,"signatures":[{"keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U","sig":"MEUCIDPodDsvjMFKp3fYCgtZ6FIvkakScVU6qYVxXy10YXe2AiEAqBjUH8uxa/lXsxAMzQfiYiRlOXIEx8NoO8ylGjs4kC4="}]},"_npmUser":{"name":"node-canaries","email":"reacher.dev@proton.me"},"directories":{},"maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages-npm-production","tmp":"tmp/mcp-server-fetch_0.0.2_1780071687164_0.16017285072934762"},"_hasShrinkwrap":false}},"time":{"created":"2026-05-29T15:47:34.419Z","modified":"2026-05-29T16:21:27.421Z","0.0.1":"2026-05-29T15:47:34.708Z","0.0.2":"2026-05-29T16:21:27.314Z"},"bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"license":"MIT","homepage":"https://github.com/theinfosecguy/npx-canary#readme","keywords":["security-research","canary","npx-confusion","bug-bounty"],"repository":{"type":"git","url":"git+https://github.com/theinfosecguy/npx-canary.git"},"description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"readme":"# mcp-server-fetch — Security Research Canary\n\nThis package is part of an authorized bug bounty research project investigating **npx confusion** — a supply chain attack vector where unclaimed npm package names matching common binary references can be squatted.\n\n## What this package does\n\nOn install or execution, it sends minimal telemetry to a logging endpoint:\n- Timestamp, hostname, working directory, npm user-agent, platform\n- **Nothing sensitive** — no environment variables, file contents, tokens, or keys\n\n## Why it exists\n\nThe unscoped package name `mcp-server-fetch` was unclaimed on npm. The official equivalent (if any) uses a scoped name. AI coding agents and developer tooling commonly invoke `npx mcp-server-fetch`, which resolves to whatever package owns this name on the npm registry. This canary proves that real traffic reaches this name.\n\n## Disclosure\n\nThis is security research. If you received this package unintentionally, it means an AI agent or automated tool resolved `mcp-server-fetch` via npx and the package was publicly available. No malicious action has been taken.\n\n**Questions?** Open an issue: https://github.com/theinfosecguy/npx-canary\n","readmeFilename":"README.md"}