
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@kieksme/contabo-mcp
Advanced tools
MCP server for the Contabo API (VMs, snapshots, object storage, secrets, domains)
MCP (Model Context Protocol) server for the Contabo API. Manage virtual machines, snapshots/backups, object storage, secrets, and domains from Cursor or other MCP clients.
contabo_* namingx-request-id per request and token refresh on 401readOnlyHint, destructiveHint, idempotentHint, openWorldHint) on all toolsx-request-id and audit-tool hintsThis package is an API client: it reads CONTABO_* environment variables and calls Contabo over HTTPS only. Outbound hosts are restricted to *.contabo.com unless CONTABO_ALLOW_CUSTOM_HOSTS=true (staging). See SECURITY.md for the full allowlist and reporting process.
The Socket.dev badge may show network access, environment variable access, URL strings, and GPL license alerts — these are intentional for this package type, not indicators of malware. Dependency CVEs are tracked via pnpm audit in CI.
Every tool sets MCP hints so clients can warn before destructive calls:
| Annotation | Used for |
|---|---|
readOnlyHint | List, get, stats, availability checks, audits |
destructiveHint: false | Safe writes (metadata updates, start instance) |
destructiveHint: true | Deletes, cancels, reinstall, power actions, billing changes |
openWorldHint | Creates and purchases that affect live account resources |
idempotentHint | DELETE operations safe to retry with the same id |
Errors return structured JSON (structuredContent.error) with code, message, status, and xRequestId.
Versioning and npm publish are automated with release-please on main. Any conventional commit under contabo-mcp/ updates the next release pull request. See CONTRIBUTING.md in the repository root.
All values come from the Contabo Customer Control Panel. You need a normal control-panel login (including 2FA if enabled).
The page title is API. It states that the data shown there plus the API password are required to use the API.
The panel lists four pieces of information (labels may appear in German or English depending on locale):
| Control panel (DE) | Control panel (EN) | Environment variable | Notes |
|---|---|---|---|
| Kunden-ID | Customer ID | CONTABO_CLIENT_ID | Format like DE-8791. This is the OAuth client id, not your VPS name. |
| Client-Secret | Client secret | CONTABO_CLIENT_SECRET | Shown masked (••••••). Copy when displayed or regenerate if you no longer have it. |
| Benutzername | Username | CONTABO_API_USER | Your API user email (often the same as your control-panel login). |
| API-Passwort | API password | CONTABO_API_PASSWORD | Separate from your control-panel login password (see below). |
Until you set an API password, the panel typically asks you to set a new password before you can use the API (“Bitte setzen Sie ein neues Passwort, um die API nutzen zu können”).
CONTABO_API_PASSWORD — not your normal my.contabo.com login password.You can change the API password anytime in the same place.
Copy the four values into .env (local development) or your MCP client env block:
CONTABO_CLIENT_ID=DE-XXXX # Customer ID from the panel
CONTABO_CLIENT_SECRET=... # Client secret (full string)
CONTABO_API_USER=you@example.com # Username from the panel
CONTABO_API_PASSWORD=... # API password you set on the API page
Example .cursor/mcp.json fragment:
"env": {
"CONTABO_CLIENT_ID": "DE-XXXX",
"CONTABO_CLIENT_SECRET": "your-client-secret",
"CONTABO_API_USER": "you@example.com",
"CONTABO_API_PASSWORD": "your-api-password"
}
After saving config, restart the MCP client (or reload MCP servers in Cursor). A quick check:
unauthorized_client / Invalid client credentials usually mean a wrong Customer ID or Client secret.invalid_grant or login-related errors often mean a wrong API user or API password (e.g. using the control-panel login password instead of the API password).Do not commit .env or paste secrets into chat, issues, or screenshots.
Published as @kieksme/contabo-mcp on npm under the kieksme account. No clone and no build step required.
Add to .cursor/mcp.json (or your global MCP config):
{
"mcpServers": {
"contabo": {
"command": "npx",
"args": ["-y", "@kieksme/contabo-mcp"],
"env": {
"CONTABO_CLIENT_ID": "your-client-id",
"CONTABO_CLIENT_SECRET": "your-client-secret",
"CONTABO_API_USER": "your-api-user@email.com",
"CONTABO_API_PASSWORD": "your-api-password"
}
}
}
}
With pnpm:
{
"mcpServers": {
"contabo": {
"command": "pnpm",
"args": ["dlx", "@kieksme/contabo-mcp"],
"env": {
"CONTABO_CLIENT_ID": "your-client-id",
"CONTABO_CLIENT_SECRET": "your-client-secret",
"CONTABO_API_USER": "your-api-user@email.com",
"CONTABO_API_PASSWORD": "your-api-password"
}
}
}
}
See mcp.json.example for more variants.
npx -y @kieksme/contabo-mcp
pnpm dlx @kieksme/contabo-mcp
npm install -g @kieksme/contabo-mcp
contabo-mcp
Without npm, install from the repository (first run builds the package; requires pnpm via Corepack on Node 20+):
{
"mcpServers": {
"contabo": {
"command": "npx",
"args": [
"-y",
"--package=git+https://github.com/kieksme/mcp-contabo.git#main",
"contabo-mcp"
],
"env": { "...": "..." }
}
}
}
npx -y --package=git+https://github.com/kieksme/mcp-contabo.git#main contabo-mcp
Read-only evaluation scenarios for agent testing live in evaluations/contabo.eval.xml. Regenerate answers against your account when adding live-data questions.
Development setup, testing, OpenAPI refresh, and release process: see CONTRIBUTING.md in the repository root.
| Area | Tools |
|---|---|
| Instances | contabo_instances_* (list, get, create, update, reinstall, cancel, upgrade, start/stop/restart/shutdown/rescue/reset_password, audits) |
| Snapshots / backups | contabo_snapshots_* |
| Object storage | contabo_object_storages_*, contabo_object_storage_credentials_* |
| Secrets | contabo_secrets_* |
| Domains | contabo_domains_*, contabo_domain_handles_* |
Automated VM backups: use contabo_instances_upgrade with body { "backup": {} }.
Object storage S3 credentials require userId (Contabo user UUID from the control panel).
GPL-3.0-or-later (see LICENSE).
FAQs
MCP server for the Contabo API (VMs, snapshots, object storage, secrets, domains)
The npm package @kieksme/contabo-mcp receives a total of 27 weekly downloads. As such, @kieksme/contabo-mcp popularity was classified as not popular.
We found that @kieksme/contabo-mcp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.