{"_id":"mcp-server-github","_rev":"2-d3723372210f07634231f52277fdc6d2","name":"mcp-server-github","dist-tags":{"latest":"0.0.2"},"versions":{"0.0.1":{"name":"mcp-server-github","version":"0.0.1","keywords":["security-research","canary","npx-confusion","bug-bounty"],"license":"MIT","_id":"mcp-server-github@0.0.1","maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"homepage":"https://github.com/theinfosecguy/npx-canary#readme","bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"bin":{"mcp-server-github":"index.js"},"dist":{"shasum":"3d30536c5d9117021d84ced9eee22524f7b45d6d","tarball":"https://registry.npmjs.org/mcp-server-github/-/mcp-server-github-0.0.1.tgz","fileCount":3,"integrity":"sha512-vdwMUwzPRKobXd9wznUO8TqROVYAQFOsCFLzxOLOjq9rtbiB1ZAR/llKRxbW3ZDtejlh45LuKE1rO8uV+9yh2w==","signatures":[{"sig":"MEQCIDPQI09y5mbIz9WndgziKC7CWgfRZmIQ88HMut+09ymEAiBO/iJZNLocMIJJz0Pjrp80UuLzo704dHr7GFYioyjWPw==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"unpackedSize":3284},"main":"index.js","gitHead":"a3f48e2f41d1e89e848cd08ecec7032325af0bb3","scripts":{"postinstall":"node index.js"},"_npmUser":{"name":"node-canaries","email":"reacher.dev@proton.me"},"repository":{"url":"git+https://github.com/theinfosecguy/npx-canary.git","type":"git"},"_npmVersion":"11.6.2","description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","directories":{},"_nodeVersion":"25.2.1","_hasShrinkwrap":false,"_npmOperationalInternal":{"tmp":"tmp/mcp-server-github_0.0.1_1780069647582_0.732104564703131","host":"s3://npm-registry-packages-npm-production"}},"0.0.2":{"name":"mcp-server-github","version":"0.0.2","description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","main":"index.js","bin":{"mcp-server-github":"index.js"},"scripts":{"postinstall":"node index.js"},"repository":{"type":"git","url":"git+https://github.com/theinfosecguy/npx-canary.git"},"license":"MIT","keywords":["security-research","canary","npx-confusion","bug-bounty"],"gitHead":"aa3bb402fbd4cbb5ca0be66cf675106eb797ef2c","_id":"mcp-server-github@0.0.2","bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"homepage":"https://github.com/theinfosecguy/npx-canary#readme","_nodeVersion":"25.2.1","_npmVersion":"11.6.2","dist":{"integrity":"sha512-p3okexna3ZTcEHHXL/Of/NPHNymFb5f0WLvm0JXrJHJDDun0AdEMwg4R7D2HCrj9RSdkPOvKVuURltN/C25Q2g==","shasum":"ec38b3237b197808a3dee5b0e68753534b9871ef","tarball":"https://registry.npmjs.org/mcp-server-github/-/mcp-server-github-0.0.2.tgz","fileCount":3,"unpackedSize":3289,"signatures":[{"keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U","sig":"MEYCIQCg+EzYEwWxWCR7/nRN8sDjJq/FRH2IhDA0nsqwJfm7SwIhANHqr6SZOrjszSwMsLbWRJ6zk9B+J5OIALX2anWib/CE"}]},"_npmUser":{"name":"node-canaries","email":"reacher.dev@proton.me"},"directories":{},"maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages-npm-production","tmp":"tmp/mcp-server-github_0.0.2_1780071684740_0.3296876078922779"},"_hasShrinkwrap":false}},"time":{"created":"2026-05-29T15:47:27.405Z","modified":"2026-05-29T16:21:25.033Z","0.0.1":"2026-05-29T15:47:27.736Z","0.0.2":"2026-05-29T16:21:24.918Z"},"bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"license":"MIT","homepage":"https://github.com/theinfosecguy/npx-canary#readme","keywords":["security-research","canary","npx-confusion","bug-bounty"],"repository":{"type":"git","url":"git+https://github.com/theinfosecguy/npx-canary.git"},"description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"readme":"# mcp-server-github — Security Research Canary\n\nThis package is part of an authorized bug bounty research project investigating **npx confusion** — a supply chain attack vector where unclaimed npm package names matching common binary references can be squatted.\n\n## What this package does\n\nOn install or execution, it sends minimal telemetry to a logging endpoint:\n- Timestamp, hostname, working directory, npm user-agent, platform\n- **Nothing sensitive** — no environment variables, file contents, tokens, or keys\n\n## Why it exists\n\nThe unscoped package name `mcp-server-github` was unclaimed on npm. The official equivalent (if any) uses a scoped name. AI coding agents and developer tooling commonly invoke `npx mcp-server-github`, which resolves to whatever package owns this name on the npm registry. This canary proves that real traffic reaches this name.\n\n## Disclosure\n\nThis is security research. If you received this package unintentionally, it means an AI agent or automated tool resolved `mcp-server-github` via npx and the package was publicly available. No malicious action has been taken.\n\n**Questions?** Open an issue: https://github.com/theinfosecguy/npx-canary\n","readmeFilename":"README.md"}