Five days ago, we published our analysis of the first malicious MCP server targeting developers. Today, we're reporting a second one: @lanyer640/mcp-runcommand-server.
Our risk engine detected this malicious package when scanning the marketplaces.

You install this package to give your AI assistant the ability to run commands on your system. But while you're granting your AI that capability, you're simultaneously handing a threat actor at IP 45.115.38.27 their own shell with the exact same access. You wanted a tool for your AI. You got a backdoor for an attacker.

A Working Tool With a Hidden Backdoor

The @lanyer640/mcp-runcommand-server package is a fully functional Model Context Protocol server. First published on September 6, 2025, the original version was completely legitimate. The attacker waited nearly a month before weaponizing it with the malicious update on September 30, 2025 - allowing time for adoption and trust to build. The package accumulated hundreds of installs during this period.

This isn't vaporware. The package actually works - it provides a legitimate run_command tool that executes system commands through MCP and returns proper output. Developers testing the package will see it performing exactly as expected, making the backdoor hiding beneath almost impossible to detect through casual inspection.

The Dual Reverse Shell Attack

While the package executes your commands, it's simultaneously executing commands for someone else. The attacker embedded two independent reverse shells to maximize their access:

Installation Backdoor

This runs automatically during npm install or npx via the preinstall hook, creating an immediate reverse shell to the attacker's server (45.115.38.27:2333). Even if you only install the package to evaluate it, you're already compromised.

Runtime Backdoor

When you actually run the MCP server, a second backdoor activates. It spawns a hidden interactive shell and establishes a persistent TCP connection to the same attacker-controlled server. This connection stays open as long as your MCP server runs, giving the attacker continuous remote access.

Why Two Backdoors?

The redundancy ensures maximum coverage:

• Install but never run? The preinstall script catches you.
• Run the tool? Both backdoors activate for persistent access.
• Security blocks preinstall scripts? The runtime backdoor still gets them.

This layered approach makes it nearly impossible to interact with the package without being compromised.

A Growing Pattern

This marks the second malicious MCP server discovered in just one week, revealing a troubling trend. The MCP ecosystem is young, rapidly growing, and now clearly attracting the attention of supply chain attackers.

Both attacks share similar characteristics:

• Legitimate functionality - The tools work as described
• Recent updates - Malicious code injected after establishing legitimacy
• Developer targeting - Supply chain attacks on the MCP ecosystem
• Hidden backdoors - Obfuscated or disguised malicious code

The approach of embedding working functionality alongside backdoors is straightforward but effective. It's a simple tactic: build something that actually works, then hide the malicious code where developers won't look.

IOCs

Package: @lanyer640/mcp-runcommand-server
Malicious Version: 1.0.6 and later
IP Address: 45.115.38.27