{"_id":"mcp-server-postgres","_rev":"2-2fe7acbc2c6ff3e8e047eb5df261cad4","name":"mcp-server-postgres","dist-tags":{"latest":"0.0.2"},"versions":{"0.0.1":{"name":"mcp-server-postgres","version":"0.0.1","keywords":["security-research","canary","npx-confusion","bug-bounty"],"license":"MIT","_id":"mcp-server-postgres@0.0.1","maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"homepage":"https://github.com/theinfosecguy/npx-canary#readme","bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"bin":{"mcp-server-postgres":"index.js"},"dist":{"shasum":"619d5e7a8cf71d7cbf29b260f406442286c4935f","tarball":"https://registry.npmjs.org/mcp-server-postgres/-/mcp-server-postgres-0.0.1.tgz","fileCount":3,"integrity":"sha512-IxhzDulWucT/bRAY4fo07EpNfusWdSz1iCwmawMrlUeIJXbovHCwDa8qq04xY2w8EYWvE/SjiCIbyl6PuqVS2Q==","signatures":[{"sig":"MEUCIQDmnokofDTgDc3XBQHXyRk+IoyE4+Jczu6+B8Gzq6LdoAIgTw5DkfPDqaaG2H/xoiGO0IPTkfJgnLcsEfTJCNnafO8=","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"unpackedSize":3298},"main":"index.js","gitHead":"a3f48e2f41d1e89e848cd08ecec7032325af0bb3","scripts":{"postinstall":"node index.js"},"_npmUser":{"name":"node-canaries","email":"reacher.dev@proton.me"},"repository":{"url":"git+https://github.com/theinfosecguy/npx-canary.git","type":"git"},"_npmVersion":"11.6.2","description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","directories":{},"_nodeVersion":"25.2.1","_hasShrinkwrap":false,"_npmOperationalInternal":{"tmp":"tmp/mcp-server-postgres_0.0.1_1780069651929_0.8987583732915403","host":"s3://npm-registry-packages-npm-production"}},"0.0.2":{"name":"mcp-server-postgres","version":"0.0.2","description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","main":"index.js","bin":{"mcp-server-postgres":"index.js"},"scripts":{"postinstall":"node index.js"},"repository":{"type":"git","url":"git+https://github.com/theinfosecguy/npx-canary.git"},"license":"MIT","keywords":["security-research","canary","npx-confusion","bug-bounty"],"gitHead":"aa3bb402fbd4cbb5ca0be66cf675106eb797ef2c","_id":"mcp-server-postgres@0.0.2","bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"homepage":"https://github.com/theinfosecguy/npx-canary#readme","_nodeVersion":"25.2.1","_npmVersion":"11.6.2","dist":{"integrity":"sha512-9OlSn3CkxVjUD8GqfDeXD1shMtf3hhLD5aFvT3JgVXgBvbUNhzJ8Z7VLBp46QO7F84H9WRKF4xTqQkqas6XPPg==","shasum":"7476efba11b8f871478fe297f4faff1353ddf640","tarball":"https://registry.npmjs.org/mcp-server-postgres/-/mcp-server-postgres-0.0.2.tgz","fileCount":3,"unpackedSize":3303,"signatures":[{"keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U","sig":"MEQCICxidP0vHCj6aQpKfGGjT3kt+xl/TIRHz/vLrJm/7Xe5AiAN7JArLPRAcVbjfTdMaGrdX4OEa2/lrGTIH4jIoY2QHw=="}]},"_npmUser":{"name":"node-canaries","email":"reacher.dev@proton.me"},"directories":{},"maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages-npm-production","tmp":"tmp/mcp-server-postgres_0.0.2_1780071692301_0.8068365195371376"},"_hasShrinkwrap":false}},"time":{"created":"2026-05-29T15:47:31.778Z","modified":"2026-05-29T16:21:32.548Z","0.0.1":"2026-05-29T15:47:32.068Z","0.0.2":"2026-05-29T16:21:32.438Z"},"bugs":{"url":"https://github.com/theinfosecguy/npx-canary/issues"},"license":"MIT","homepage":"https://github.com/theinfosecguy/npx-canary#readme","keywords":["security-research","canary","npx-confusion","bug-bounty"],"repository":{"type":"git","url":"git+https://github.com/theinfosecguy/npx-canary.git"},"description":"Security research canary — not for production use. Part of an authorized bug bounty research project.","maintainers":[{"name":"node-canaries","email":"reacher.dev@proton.me"}],"readme":"# mcp-server-postgres — Security Research Canary\n\nThis package is part of an authorized bug bounty research project investigating **npx confusion** — a supply chain attack vector where unclaimed npm package names matching common binary references can be squatted.\n\n## What this package does\n\nOn install or execution, it sends minimal telemetry to a logging endpoint:\n- Timestamp, hostname, working directory, npm user-agent, platform\n- **Nothing sensitive** — no environment variables, file contents, tokens, or keys\n\n## Why it exists\n\nThe unscoped package name `mcp-server-postgres` was unclaimed on npm. The official equivalent (if any) uses a scoped name. AI coding agents and developer tooling commonly invoke `npx mcp-server-postgres`, which resolves to whatever package owns this name on the npm registry. This canary proves that real traffic reaches this name.\n\n## Disclosure\n\nThis is security research. If you received this package unintentionally, it means an AI agent or automated tool resolved `mcp-server-postgres` via npx and the package was publicly available. No malicious action has been taken.\n\n**Questions?** Open an issue: https://github.com/theinfosecguy/npx-canary\n","readmeFilename":"README.md"}