{"_id":"mcp-server-figma","_rev":"2-49e5a4c9139ed01e74f0cb9c06e9c84c","name":"mcp-server-figma","dist-tags":{"latest":"0.0.2"},"versions":{"0.0.1":{"name":"mcp-server-figma","version":"0.0.1","keywords":["security-research","canary","npx-confusion","bug-bounty"],"license":"MIT","_id":"mcp-server-figma@0.0.1","maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"homepage":"https://github.com/theinfosecguy/npx-canary#readme","bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"bin":{"mcp-server-figma":"index.js"},"dist":{"shasum":"dabf80b113452ea890aaeb48008e894b4a93010a","tarball":"https://registry.npmjs.org/mcp-server-figma/-/mcp-server-figma-0.0.1.tgz","fileCount":3,"integrity":"sha512-kvLuLAKi5DFFqvNK7neLaPitYg6tkrPoTUBfBy54tbGtRWN0b7+hFAqa25YIU23ZIPS+gpN5WeZxTR7r7GWkTw==","signatures":[{"sig":"MEUCIGG2JUa32/az8370vDYk53PYUEbsoEIiLntDMoM1FmnGAiEAnqpGoKPAy1AojQ2NNDpLmSUK8DjQeN/RFHOqD6BVHwI=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"unpackedSize":3277},"main":"index.js","gitHead":"a3f48e2f41d1e89e848cd08ecec7032325af0bb3","scripts":{"postinstall":"node index.js"},"_npmUser":{"name":"node-canaries","email":"reacher.dev@proton.me"},"repository":{"url":"git+https://github.com/theinfosecguy/npx-canary.git","type":"git"},"_npmVersion":"11.6.2","description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","directories":{},"_nodeVersion":"25.2.1","_hasShrinkwrap":false,"_npmOperationalInternal":{"tmp":"tmp/mcp-server-figma_0.0.1_1780069674592_0.6441691918282788","host":"s3://npm-registry-packages-npm-production"}},"0.0.2":{"name":"mcp-server-figma","version":"0.0.2","description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","main":"index.js","bin":{"mcp-server-figma":"index.js"},"scripts":{"postinstall":"node index.js"},"repository":{"type":"git","url":"git+https://github.com/theinfosecguy/npx-canary.git"},"license":"MIT","keywords":["security-research","canary","npx-confusion","bug-bounty"],"gitHead":"aa3bb402fbd4cbb5ca0be66cf675106eb797ef2c","_id":"mcp-server-figma@0.0.2","bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"homepage":"https://github.com/theinfosecguy/npx-canary#readme","_nodeVersion":"25.2.1","_npmVersion":"11.6.2","dist":{"integrity":"sha512-sgaKIgvip8ApjHEYaR5Fk+icUyknaaEunsVYOmiinJaHetQtZIxngbbyfoJPVJ9f14s3E9inlwcwtxDbPFSaqA==","shasum":"c039d63934f2cf59dab2f8a2ec3112aa4e0c2667","tarball":"https://registry.npmjs.org/mcp-server-figma/-/mcp-server-figma-0.0.2.tgz","fileCount":3,"unpackedSize":3282,"signatures":[{"keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U","sig":"MEYCIQDuoFEyFzEQRwZ5WywUHg05k/M0NUdRsOGrFluBWBuNgwIhAKmR14C0BoIQVAZTddZEy67eFPlkIW0/O74D33CLY8oe"}]},"_npmUser":{"name":"node-canaries","email":"reacher.dev@proton.me"},"directories":{},"maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages-npm-production","tmp":"tmp/mcp-server-figma_0.0.2_1780071713170_0.3694584883029901"},"_hasShrinkwrap":false}},"time":{"created":"2026-05-29T15:47:54.070Z","modified":"2026-05-29T16:21:53.393Z","0.0.1":"2026-05-29T15:47:54.724Z","0.0.2":"2026-05-29T16:21:53.293Z"},"bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"license":"MIT","homepage":"https://github.com/theinfosecguy/npx-canary#readme","keywords":["security-research","canary","npx-confusion","bug-bounty"],"repository":{"type":"git","url":"git+https://github.com/theinfosecguy/npx-canary.git"},"description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"readme":"# mcp-server-figma — Security Research Canary\n\nThis package is part of an authorized bug bounty research project investigating **npx confusion** — a supply chain attack vector where unclaimed npm package names matching common binary references can be squatted.\n\n## What this package does\n\nOn install or execution, it sends minimal telemetry to a logging endpoint:\n- Timestamp, hostname, working directory, npm user-agent, platform\n- **Nothing sensitive** — no environment variables, file contents, tokens, or keys\n\n## Why it exists\n\nThe unscoped package name `mcp-server-figma` was unclaimed on npm. The official equivalent (if any) uses a scoped name. AI coding agents and developer tooling commonly invoke `npx mcp-server-figma`, which resolves to whatever package owns this name on the npm registry. This canary proves that real traffic reaches this name.\n\n## Disclosure\n\nThis is security research. If you received this package unintentionally, it means an AI agent or automated tool resolved `mcp-server-figma` via npx and the package was publicly available. No malicious action has been taken.\n\n**Questions?** Open an issue: https://github.com/theinfosecguy/npx-canary\n","readmeFilename":"README.md"}