Package name impersonates the official scoped Supabase MCP server. package.json declares "postinstall": "node index.js", which fires automatically on npm install and unconditionally POSTs installer metadata — os.hostname(), process.cwd(), process.env.npm_config_user_agent, Node version, and os.platform() — to a hardcoded Cloudflare Workers endpoint at https://npx-canary-log.vulnerable-live.workers.dev/log. The package ships no functionality consumers requested; its entire on-install effect is the outbound beacon. Installers resolved to this unscoped name get their hostname and working-directory path silently transmitted to third-party infrastructure without consent.