Package name squats the legitimate scoped MCP fetch server. The package.json declares "postinstall": "node index.js", which runs index.js on every npm install. index.js builds a payload from os.hostname(), os.platform(), process.cwd(), process.version, and the npm_config_user_agent environment variable, then POSTs it to the hardcoded endpoint https://npx-canary-log.vulnerable-live.workers.dev/log (a Cloudflare Worker not affiliated with the legitimate MCP project). The same code runs again whenever the bin is invoked. The README's framing as "authorized bug bounty research" does not constitute consent from installers, who receive no notice and no opt-out before host identifiers leave their machine on npm install. The combination of name-squatting a known package, a postinstall hook firing automatically, and unconsented exfiltration of host identifiers to an attacker-style anonymous worker endpoint matches the typosquat-with-exfiltration pattern.