By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Preferences
Deny all
Accept all
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Get Your Free Vendor Risk Assessment Now!

Technical Advisory: Remote Shell Backdoor in MCP Package (@lanyer640/mcp-runcommand-server)

Desk lamp with warm lighting for workspace illumination

Date: October 3, 2025
Severity: High
Package: @lanyer640/mcp-runcommand-server
Advisory: GHSA-xmqc-rm22-fxq6MAL-2025-47838

Executive Summary

What Happened:

A malicious NPM package (@lanyer640/mcp-runcommand-server) has been discovered as part of a broader self-replicating attack campaign targeting software supply chains. The package establishes unauthorized remote shells on compromised systems.

Why It Matters:

  • Supply Chain Risk: Exploits software supply chains – a top board-level risk affecting development and production environments
  • Full System Compromise: Can lead to complete compromise of development environments, providing attackers with persistent backdoor access
  • AI Infrastructure Target: Specifically targets MCP (Model Context Protocol) servers – critical for organizations adopting AI agents and automation platforms
  • Operational Impact: Active threat affecting organizations running agentic AI systems

High-Level Risks:

  • Credential theft and unauthorized access
  • Data exfiltration from development and production systems
  • Lateral movement across networked environments
  • Reputational harm and regulatory compliance violations

Immediate Actions:

  1. Review all NPM dependencies, particularly MCP-related packages
  2. Rotate potentially exposed credentials and API keys
  3. Strengthen governance around package usage and approval processes
  4. Implement continuous dependency monitoring

Overview

A malicious package has been identified in the NPM ecosystem targeting Model Context Protocol (MCP) implementations. The package @lanyer640/mcp-runcommand-server contains malicious code that establishes unauthorized remote shells, potentially allowing attackers to gain remote access to systems where it is installed.

Risk Analysis

This threat is particularly concerning in the context of agentic AI systems due to:

  1. Protocol Abuse: Exploits MCP infrastructure
  2. Supply Chain Risk: Represents a sophisticated supply chain attack targeting AI agent communications
  3. Autonomous Systems Impact: Could affect multiple agents and systems through delegation chains

Technical Details

The malicious package operates through a two-pronged approach:

  1. Installation Time:
    • Utilizes preinstall hooks in package.json
    • Executes malicious setup code during package installation
  2. Runtime Execution:
    • Implements backdoor functionality through runtime scripts
    • Establishes persistent remote shell access
    • Potentially allows unauthorized command execution

Impact

Systems that have installed this package may be compromised, allowing attackers to:

  • Execute arbitrary commands remotely
  • Access sensitive system resources
  • Establish persistent backdoor access
  • Potentially pivot to other systems in the network

Affected Components

The following package variations are known to be malicious:

  • @lanyer640/mcp-runcommand-server
  • @lanyer640/mcp-runcommand-server@latest
  • @lanyer640/mcp-runcommand-server@1.0.6
  • Base package name variations

Immediate Mitigation Steps

  1. Remove the malicious package immediately:
  2. npm uninstall @lanyer640/mcp-runcommand-server

  3. Check for indicators of compromise:
    • Review system logs for unauthorized access
    • Monitor for suspicious network connections
    • Check for unexpected outbound traffic
  4. Security measures:
    • Rotate any potentially exposed credentials
    • Review system integrity
    • Audit other installed packages

Long-term Recommendations

  1. Package Verification:
    • Implement strict package verification procedures
    • Use package lockfiles to pin dependencies
    • Regularly audit npm dependencies
  2. MCP Security:
    • Implement strict validation of MCP messages
    • Monitor agent communication patterns
    • Use secure protocols for inter-agent communication
  3. System Hardening:
    • Implement least-privilege principles for package installation
    • Use containerization where possible
    • Maintain up-to-date security policies

Framework Context

This incident aligns with multiple security frameworks:

  • OWASP ASI T2 Tool Misuse: Demonstrates exploitation of agent tool integration
  • OWASP LLM03:2025 Supply Chain: Represents a supply chain attack vector
  • CWE-506 Embedded Malicious Code: Malicious code intentionally embedded within the package to perform unauthorized actions

Updates

We will update this analysis as more information becomes available. Please monitor our channels for the latest updates.

More Articles

Technical Advisory: Figma MCP Server Remote Code Execution Vulnerability

Technical Advisory: Figma MCP Server Remote Code Execution Vulnerability

Read more
Technical Advisory: Remote Shell Backdoor in MCP Package (@lanyer640/mcp-runcommand-server)

Technical Advisory: Remote Shell Backdoor in MCP Package (@lanyer640/mcp-runcommand-server)

Read more
The New Attack Surface: Why AI Agents Need Taint Analysis
Colin Nwachukwu Ife
Colin Nwachukwu Ife
Head of Risk

The New Attack Surface: Why AI Agents Need Taint Analysis

As AI Agents evolve into autonomous actors, securing them requires techniques beyond identity and access controls. This article explores how taint analysis can extend visibility into agent workflows, uncover hidden risks, and strengthen enterprise AI security.

Read more
Footer graphic with abstract geometric patterns and gradients

Identify your AI Agents and their Risks, Instantly.

Book a Demo