#021High2026-04-03

Obfuscated Trojan Disguised as MCP Server

abtestresult-mcp@1.0.7

Verdict:MALICIOUS — Trojanized MCP server package

Overview

A 1.8MB npm package published as abtestresult-mcp, disguised as a Model Context Protocol server for A/B testing. The entire codebase is heavily obfuscated using javascript-obfuscator, making it impossible to audit. The package exploits the growing trust in MCP servers — developers install these to extend their AI coding assistants (Claude Code, Cursor) with additional capabilities. A malicious MCP server gains direct access to the AI assistant's tool interface.

1.8MB
Package Size
100%
Code Obfuscated
MCP
Disguise Type
AI Tools
Target

Attack Flow

MCP Disguise
Published as abtestresult-mcp, appearing to be a legitimate MCP server for A/B testing functionality in AI coding assistants.
Heavy Obfuscation
1.8MB of javascript-obfuscator output. The entire package is unreadable and unauditable without significant reverse engineering effort.
MCP Trust Exploitation
MCP servers are registered as trusted tools in AI coding assistants. Once installed, the server has direct access to execute commands through the AI's tool interface.
Persistent Access
MCP server configurations persist in .claude/settings.json or similar config files, running on every AI assistant session.

MITRE ATT&CK Mapping

T1195.002Supply Chain Compromise — malicious npm MCP package
T1027Obfuscated Files — 1.8MB javascript-obfuscator
T1219Remote Access Software — MCP server as tool interface
T1546Event Triggered Execution — MCP server auto-loaded by AI assistant

Tags

MCPObfuscatedTrojanAI SecurityClaude Code

Full Report

Trojanized MCP Server: abtestresult-mcp@1.0.7

TL;DR

1.8MB heavily obfuscated npm package disguised as a Model Context Protocol (MCP) server. Exploits the growing trust in MCP servers that extend AI coding assistants.

Package Info

  • Name: abtestresult-mcp@1.0.7
  • Registry: npm
  • Published: 2026-04-03

Analysis

MCP Ecosystem Abuse

Model Context Protocol (MCP) servers are plugins that extend AI coding assistants like Claude Code and Cursor with additional capabilities. Developers install them to add tools — database access, API integrations, deployment automation. This trust model makes MCP servers a high-value attack vector: once registered, they have direct access to the AI assistant's tool interface.

Obfuscation

The entire 1.8MB package is obfuscated using javascript-obfuscator:

  • Hex-encoded variable names
  • String array rotation with RC4 encoding
  • Control flow flattening
  • Dead code injection
  • Anti-debugging and anti-tampering

No legitimate MCP server ships fully obfuscated code. The obfuscation alone is a red flag — it makes the package completely unauditable.

Attack Vector

  1. Developer finds abtestresult-mcp while searching for A/B testing tools
  2. Installs and registers it as an MCP server in their AI assistant config
  3. The obfuscated code runs with full access to the AI's tool interface
  4. Server persists in config files, loading on every AI assistant session

IOCs

  • Package: abtestresult-mcp@1.0.7
  • Size: 1.8MB (abnormal for an MCP server)
  • Pattern: 100% obfuscated code, zero readable source
  • Config target: .claude/settings.json, .cursor/ configs

MITRE ATT&CK

  • T1195.002 — Supply Chain Compromise (malicious npm MCP package)
  • T1027 — Obfuscated Files (1.8MB javascript-obfuscator)
  • T1219 — Remote Access Software (MCP server as tool interface)
  • T1546 — Event Triggered Execution (auto-loaded by AI assistant)

Credits

Detected by: npm-sentinel automated scanner Verified by: manual code review Date: 2026-04-03

Previous
#020 Trojanized Baileys Fork with Hidden Obfuscated Payload