mcp-remote
-
Report: Claude Desktop Extensions run unsandboxed, enabling zero-click RCE
A LayerX Security technical analysis found Claude Desktop Extensions run unsandboxed with full system privileges, enabling zero-click remote code execution via a malicious Google Calendar entry when MCP permissions are granted.
-
Cloudflare investigates global outage causing widespread 500 errors
Cloudflare is investigating a global outage that caused widespread 500 errors and dashboard/API failures; multiple European nodes and tens of thousands of user reports were affected while Cloudflare works on mitigation and some services show signs of recovery.
-
Patched command injection in Figma MCP server could allow remote code execution, researchers say
A command injection bug in the figma-developer-mcp Model Context Protocol server, tracked as CVE-2025-53967 and scored 7.5, could allow remote code execution by interpolating unvalidated input into shell commands; the issue was fixed in version 0.6.3 and researchers recommend avoiding child_process.exec with untrusted data.
-
Researchers find malicious ‘postmark-mcp’ npm package that forwarded emails to attacker
Researchers say a malicious npm package named “postmark-mcp” copied an official library and, beginning with version 1.0.16, BCC’d every email to an external address, exposing potentially sensitive communications; the package has been removed from npm and users are urged to revoke credentials and check logs.
-
Critical Remote Code Execution Vulnerability Discovered in mcp-remote Project
A critical vulnerability in the mcp-remote project could allow hackers to execute arbitrary operating system commands, prompting updates and stronger security practices for users.
