Chaintrap · npm — @google-cloud/cloud-run-mcp@1.10.0

Package

@google-cloud/cloud-run-mcp@1.10.0

Dist.Shasum

58eea8954e4995101ab670e391c445d2a63e5bbb

Dist.Integrity

sha512-9X9K2zbL5i6i/q1qqqI6mBj/kCpQPpaKygEr1AiwEUVLBTASX7hA6A95WfeOnxzAi25M++gSIcekwyYpGdkL7w==

License

Apache-2.0

Published

2026-03-04T14:42:22.301Z

Scanned At

2026-04-21T07:06:01.008Z (3926ms)

Executive summary

npm-mal-scan rated malware risk CRITICAL for this package (heuristic static analysis — not a court verdict). Vulnerability signal: NONE; dependency confusion: NONE. Scanner verdict: CRITICAL.

Scanners prioritize signal over certainty: expect both false positives and blind spots. Chaintrap is designed to combine static detection with OSV CVE data so analysts spend time on packages that look risky and have known-vuln exposure — not to replace manual review or reputation checks.

Heuristic score: 6.5 / 10 · Exit code: 1 · Completed 2026-04-21T07:06:06.015004+00:00

Malware risk

CRITICAL

Vulnerability risk

NONE

Dep confusion

NONE

📦

Package overview

@google-cloud/cloud-run-mcp@1.10.0

Maintainers (registry): google-wombot <node-team-npm+wombot@google.com> · google-admin <github-admin@google.com> · npm user (version): google-wombot <node-team-npm+wombot@google.com>

LicenseApache-2.0

Published2026-03-04T14:42:22.301Z

Scanned2026-04-21T07:06:01.008Z (3926ms)

Runtime dependencies (14)

14 runtime dependencies

Package	Required	Flags
@dotenvx/dotenvx	^1.52.0
@google-cloud/artifact-registry	^4.0.1
@google-cloud/billing	^5.0.1
@google-cloud/cloudbuild	^5.0.1
@google-cloud/logging	^11.2.0
@google-cloud/resource-manager	^6.0.1
@google-cloud/run	^3.1.0
@google-cloud/service-usage	^4.1.0
@google-cloud/storage	^7.16.0
@modelcontextprotocol/sdk	^1.24.3
archiver	^7.0.1
express	^5.1.0
google-proto-files	^5.0.0
zod	^3.25.76

Scanner build: 1.0.0

🔍

Runtime dependencies — OSV intel

Modes: OSV per dependency · resolve cap: 15 · per-child timeout: 120s

Dependency	Declared	Resolved / status	Max OSV severity	Full scan	Reports
@dotenvx/dotenvx	^1.52.0	1.61.1	—	—	—
@google-cloud/artifact-registry	^4.0.1	4.7.0	—	—	—
@google-cloud/billing	^5.0.1	5.1.1	—	—	—
@google-cloud/cloudbuild	^5.0.1	5.5.0	—	—	—
@google-cloud/logging	^11.2.0	11.2.1	—	—	—
@google-cloud/resource-manager	^6.0.1	6.2.1	—	—	—
@google-cloud/run	^3.1.0	3.2.0	—	—	—
@google-cloud/service-usage	^4.1.0	4.2.1	—	—	—
@google-cloud/storage	^7.16.0	7.19.0	—	—	—
@modelcontextprotocol/sdk	^1.24.3	1.29.0	—	—	—
archiver	^7.0.1	7.0.1	—	—	—
express	^5.1.0	5.2.1	—	—	—
google-proto-files	^5.0.0	5.0.1	—	—	—
zod	^3.25.76	3.25.76	—	—	—

OSV queries use the resolved version shown (exact pins as declared; ranges use the highest published version satisfying the range). See NPM_RUNTIME_DEP_OSV_SCAN / NPM_RUNTIME_DEP_FULL_SCAN in operator docs.

🔎

0 known vulnerabilities (OSV)

OSV lookup: Checked

Chaintrap pairs static behavior signals above with OSV data for this exact version — cross-check CVEs and malware listings with install scripts, execution paths, and scanner findings.

Source: osv.dev — queried at scan time.

No known vulnerabilities reported for this exact version.

▶

Attack path

✓ 0 lifecycle hooks — this package does NOT execute code at install time. Malicious code only runs when the package binary or exports are explicitly invoked.

▶ Runs on user invocation — NOT at install

Illustrative execution chain from scan order and behavior findings — heuristic, not a guaranteed exploit path.

Trigger

User invocation

→

Entry point

mcp-server.js

→

Subprocess

auth.js:65

🔴 lib/cloud-api/auth.js:65 — Subprocess: '2. Ensuring the `GOOGLE_APPLICATION_CREDENTIALS` environment variable points to a valid service account key file.'
🔴 test/need-gcp/gcp-auth-check.test.js:126 — Subprocess: '2. Ensuring the `GOOGLE_APPLICATION_CREDENTIALS` environment variable points to a valid service account key file.',
🟡 mcp-server.js:148 — Subprocess: token_endpoint: process.env.OAUTH_TOKEN_ENDPOINT,
🟡 lib/clients.js:21 — Subprocess: const CLIENT_SECRET = process.env.GOOGLE_OAUTH_CLIENT_SECRET;
🔴 lib/cloud-api/build.js:154 — Subprocess: const buildId = Buffer.from(encodedBuildId, 'base64').toString('ascii');
🔴 lib/deployment/universal-maker.js:101 — Subprocess: const remoteSha256Hex = Buffer.from(remoteSha256Base64, 'base64').toString(
🟡 lib/cloud-api/build.js:156 — Subprocess: while (true) {
🟡 lib/cloud-api/helpers.js:37 — Subprocess: while (true) {
🟠 lib/deployment/deployer.js:155 — Subprocess: skipIamCheck &&
🟠 tools/register-tools.js:103 — Subprocess: projectId !== undefined &&
🟠 lib/deployment/universal-maker.js:226 — Subprocess: const outputDir = path.join(os.tmpdir(), `um-output-${Date.now()}`);
🟢 test/local/mcp-server-stdio.test.js:14 — Subprocess: serverProcess = spawn('node', ['mcp-server.js'], {

◆

Publish Entry Points (main / exports / module)

→ mcp-server.js

◆

Execution-first Scan Order (46 files — tier 1 = install/entry/dist, tier 2 = adapters/core, tier 3 = shallow)

T1 score=100 mcp-server.js package.json bin · publish entry (main / exports / module / browser) T3 score=25 constants.js other package script (tier 3 shallow scan) T3 score=25 lib/clients.js other package script (tier 3 shallow scan) T3 score=25 lib/cloud-api/auth.js other package script (tier 3 shallow scan) T3 score=25 lib/cloud-api/billing.js other package script (tier 3 shallow scan) T3 score=25 lib/cloud-api/build.js other package script (tier 3 shallow scan) T3 score=25 lib/cloud-api/helpers.js other package script (tier 3 shallow scan) T3 score=25 lib/cloud-api/metadata.js other package script (tier 3 shallow scan) T3 score=25 lib/cloud-api/projects.js other package script (tier 3 shallow scan) T3 score=25 lib/cloud-api/registry.js other package script (tier 3 shallow scan) T3 score=25 lib/cloud-api/run.js other package script (tier 3 shallow scan) T3 score=25 lib/cloud-api/storage.js other package script (tier 3 shallow scan) T3 score=25 lib/deployment/constants.js other package script (tier 3 shallow scan) T3 score=25 lib/deployment/deployer.js other package script (tier 3 shallow scan) T3 score=25 lib/deployment/helpers.js other package script (tier 3 shallow scan) T3 score=25 lib/deployment/source-processor.js other package script (tier 3 shallow scan) T3 score=25 lib/deployment/universal-maker.js other package script (tier 3 shallow scan) T3 score=25 lib/middleware/oauth.js other package script (tier 3 shallow scan) T3 score=25 lib/util/archive.js other package script (tier 3 shallow scan) T3 score=25 lib/util/helpers.js other package script (tier 3 shallow scan) T3 score=25 prompts.js other package script (tier 3 shallow scan) T3 score=25 test/local/clients.test.js other package script (tier 3 shallow scan) T3 score=25 test/local/cloud-api/build.test.js other package script (tier 3 shallow scan) T3 score=25 test/local/cloud-api/projects.test.js other package script (tier 3 shallow scan) T3 score=25 test/local/deployment-helpers.test.js other package script (tier 3 shallow scan) … and 21 more prioritized paths

◆

Malware / Behavior Findings 13 finding(s)

Consolidated match CRITICAL

Most signature hits in the command:

1 rule(s) matched · lib/cloud-api/auth.js:65

Command / snippet

    
    lib/cloud-api/auth.js
  
    65
    '2. Ensuring the `GOOGLE_APPLICATION_CREDENTIALS` environment variable points to a valid service account key file.'

All rules that matched this line

CRITICAL [T3 exec-surface] [CT005] Docker/Kubernetes secret access

DOCKER_CONFIG, KUBECONFIG, or similar CI/cloud credential paths are accessed

Consolidated match CRITICAL

Most signature hits in the command:

1 rule(s) matched · lib/cloud-api/build.js:154

Command / snippet

    
    lib/cloud-api/build.js
  
    154
    const buildId = Buffer.from(encodedBuildId, 'base64').toString('ascii');

All rules that matched this line

CRITICAL [T3 exec-surface] [OBF003] Base64 decode and execute

Buffer.from(..., "base64") or atob() is used to decode and run hidden code

Consolidated match CRITICAL

Most signature hits in the command:

1 rule(s) matched · lib/deployment/universal-maker.js:101

Command / snippet

    
    lib/deployment/universal-maker.js
  
    101
    const remoteSha256Hex = Buffer.from(remoteSha256Base64, 'base64').toString(

All rules that matched this line

CRITICAL [T3 exec-surface] [OBF003] Base64 decode and execute

Buffer.from(..., "base64") or atob() is used to decode and run hidden code

Consolidated match CRITICAL

Most signature hits in the command:

1 rule(s) matched · test/need-gcp/gcp-auth-check.test.js:126

Command / snippet

    
    test/need-gcp/gcp-auth-check.test.js
  
    126
    '2. Ensuring the `GOOGLE_APPLICATION_CREDENTIALS` environment variable points to a valid service account key file.',

All rules that matched this line

CRITICAL [T3 exec-surface] [CT005] Docker/Kubernetes secret access

DOCKER_CONFIG, KUBECONFIG, or similar CI/cloud credential paths are accessed

Consolidated match HIGH

Most signature hits in the command:

1 rule(s) matched · lib/clients.js:21

Command / snippet

    
    lib/clients.js
  
    21
    const CLIENT_SECRET = process.env.GOOGLE_OAUTH_CLIENT_SECRET;

All rules that matched this line

HIGH [T3 exec-surface] [CT002] Generic secret/token env var access

Environment variables with KEY, SECRET, TOKEN, or PASSWORD in the name are read

Consolidated match HIGH

Network / C2 signal

Most signature hits in the command:

1 rule(s) matched · lib/cloud-api/build.js:156

Command / snippet

    
    lib/cloud-api/build.js
  
    156
    while (true) {

All rules that matched this line

HIGH [T3 exec-surface] [PS001] while(true) beacon loop

Infinite loop with network/exec calls is a persistent beacon/C2 pattern

Consolidated match HIGH

Network / C2 signal

Most signature hits in the command:

1 rule(s) matched · lib/cloud-api/helpers.js:37

Command / snippet

    
    lib/cloud-api/helpers.js
  
    37
    while (true) {

All rules that matched this line

HIGH [T3 exec-surface] [PS001] while(true) beacon loop

Infinite loop with network/exec calls is a persistent beacon/C2 pattern

Consolidated match HIGH

Most signature hits in the command:

1 rule(s) matched · mcp-server.js:148

Command / snippet

    
    mcp-server.js
  
    148
    token_endpoint: process.env.OAUTH_TOKEN_ENDPOINT,

All rules that matched this line

HIGH [T1 exec-surface] [CT002] Generic secret/token env var access

Environment variables with KEY, SECRET, TOKEN, or PASSWORD in the name are read

Consolidated match MEDIUM

Most signature hits in the command:

1 rule(s) matched · lib/deployment/deployer.js:155

Command / snippet

    
    lib/deployment/deployer.js
  
    155
    skipIamCheck &&

All rules that matched this line

MEDIUM [T3 exec-surface] [PS003] Background shell execution (&)

Shell command sent to background with & — allows npm install to exit while payload runs

Consolidated match MEDIUM

Network / C2 signal

Most signature hits in the command:

1 rule(s) matched · lib/deployment/universal-maker.js:226

Command / snippet

    
    lib/deployment/universal-maker.js
  
    226
    const outputDir = path.join(os.tmpdir(), `um-output-${Date.now()}`);

All rules that matched this line

MEDIUM [T3 exec-surface] [SP001] os.tmpdir() payload staging

Temp directory used to stage downloaded payloads or drop scripts

Consolidated match MEDIUM

Most signature hits in the command:

1 rule(s) matched · tools/register-tools.js:103

Command / snippet

    
    tools/register-tools.js
  
    103
    projectId !== undefined &&

All rules that matched this line

MEDIUM [T3 exec-surface] [PS003] Background shell execution (&)

Shell command sent to background with & — allows npm install to exit while payload runs

Consolidated match LOW

Most signature hits in the command:

1 rule(s) matched · test/local/mcp-server-stdio.test.js:14

Command / snippet

    
    test/local/mcp-server-stdio.test.js
  
    14
    serverProcess = spawn('node', ['mcp-server.js'], {

All rules that matched this line

LOW [T3 exec-surface] [PE005] spawn usage

spawn creates a child process

Consolidated match LOW

Network / C2 signal

Most signature hits in the command:

1 rule(s) matched · test/local/mcp-server-streamable-http.test.js:45

Command / snippet

    
    test/local/mcp-server-streamable-http.test.js
  
    45
    serverProcess = spawn('node', ['mcp-server.js'], {

All rules that matched this line

LOW [T3 exec-surface] [PE005] spawn usage

spawn creates a child process

◆

Tarball vs Repo Diff (3 finding(s))

[MEDIUM] DIFF_UNTRACKED_FILE File: example-sources-to-deploy/Dockerfile File "example-sources-to-deploy/Dockerfile" exists in the published tarball but is NOT present in the GitHub repository. Verify this is intentional (generated file, etc.).

[MEDIUM] DIFF_UNTRACKED_FILE File: example-sources-to-deploy/go.mod File "example-sources-to-deploy/go.mod" exists in the published tarball but is NOT present in the GitHub repository. Verify this is intentional (generated file, etc.).

[MEDIUM] DIFF_UNTRACKED_FILE File: example-sources-to-deploy/main.go File "example-sources-to-deploy/main.go" exists in the published tarball but is NOT present in the GitHub repository. Verify this is intentional (generated file, etc.).

◆

Known Vulnerabilities (OSV) ✔ No CVEs found

No known vulnerabilities for this version.

◆

Tarball File Inventory

Total files

Executable scripts (46 paths)

constants.js
lib/clients.js
lib/cloud-api/auth.js
lib/cloud-api/billing.js
lib/cloud-api/build.js
lib/cloud-api/helpers.js
lib/cloud-api/metadata.js
lib/cloud-api/projects.js
lib/cloud-api/registry.js
lib/cloud-api/run.js
lib/cloud-api/storage.js
lib/deployment/constants.js
lib/deployment/deployer.js
lib/deployment/helpers.js
lib/deployment/source-processor.js
lib/deployment/universal-maker.js
lib/middleware/oauth.js
lib/util/archive.js
lib/util/helpers.js
mcp-server.js [bin]
[shebang]
...
and
26
more

Verdict

CRITICAL

Malware

CRITICAL

CVE

NONE

DepConfusion

NONE

⚓

Remediation & containment

🗑 Remove package

Remove from project: npm uninstall
If globally installed: npm uninstall -g
Regenerate lock file: delete package-lock.json and run npm install
Block in CI: add to your package manager deny-list or use .npmrc overrides

🔒 Block candidate network IOCs

No package-extracted URLs, domains, or IPs listed for blocking yet (threat-intel citation URLs are excluded from this card).

🔑 Rotate credentials

Rotate GOOGLE_APPLICATION_CREDENTIALS if this package was executed on a system with that variable set
Rotate OAUTH_TOKEN_ENDPOINT if this package was executed on a system with that variable set
Rotate CLIENT_SECRET if this package was executed on a system with that variable set
Rotate GOOGLE_OAUTH_CLIENT_SECRET if this package was executed on a system with that variable set