·6m read time·1,168 words·
$ share

The MCP supply chain is the new npm, and it is already poisoned

A config-to-command RCE is baked into every official MCP SDK: 7,000+ servers, 150M+ downloads, and Anthropic calls it expected. The npm playbook just found your agent tool list.

securityAItooling

npm taught us everything we needed to know about trusting a stranger's code. We brought none of it with us.

The Model Context Protocol is barely two years old and it already has a package ecosystem: thousands of servers, competing registries, a marketplace or three, and an install-and-go culture that would make a 2015 JavaScript developer feel right at home. It also has the security posture of one. In April, OX Security published the disclosure that should have stopped the party.

It didn't.

The whole bug, in one paragraph

A single architectural decision in Anthropic's official MCP SDK gives you direct configuration-to-command execution over the STDIO transport. Hand it a command and it runs on the host. If that command happens to spin up a valid STDIO server, you get a handle back. If it doesn't, you get an error, after the command has already run.

That's it. That's the flaw. It isn't a typo in one library. It's in every officially supported SDK: Python, TypeScript, Java, Rust. Anyone who built on the reference implementation inherited it.

The numbers OX put on it: more than 7,000 publicly accessible servers, packages totalling over 150 million downloads, up to 200,000 vulnerable instances. Ten-plus CVEs across names you actually run, LiteLLM, LangChain, LangFlow, Flowise, Windsurf, GPT Researcher, Upsonic, DocsGPT. Same root cause has been reported independently for the past year under different CVE numbers, in MCP Inspector, LibreChat, Cursor. Nobody connected the dots until someone counted.

The case for MCP is real

I'm not here to tell you to rip it out. I use MCP every day. My own stack leans on it for search, database access, and project tooling. The protocol solved a genuine problem: one interface so any agent can talk to any tool, instead of N bespoke integrations rotting in N different ways. Adoption has blown past 19,000 servers and keeps climbing, because it works.

That's exactly why this matters. The blast radius scales with the success.

"Expected"

Here is where it stops being a bug report and becomes a choice.

Anthropic looked at configuration-to-command execution across every SDK they ship and called it expected behaviour. Sanitisation, they said, is the developer's responsibility. A week after disclosure they updated their security guidance to recommend using STDIO adapters cautiously. OX's verdict on that update: "This change didn't fix anything."

The line that should be on a poster in every AI team's office is theirs:

What made this a supply chain event rather than a single CVE is that one architectural decision, made once, propagated silently into every language, every downstream library, and every project that trusted the protocol to be what it appeared to be.

And the follow-up, which is the entire npm tragedy compressed into two sentences:

Shifting responsibility to implementers does not transfer the risk. It just obscures who created it.

We have watched this exact move before. left-pad. event-stream. The overworked maintainer who cannot be expected to audit everything downstream of them. Push responsibility to the edges and nobody owns the centre. MCP didn't learn the lesson. It re-enacted it, faster.

The playbook, aimed at your tool list

Typosquatting. Dependency confusion. Malicious maintainers. We have seen this film. MCP just bolts on a nastier final act, because the thing an agent reads from a tool is not only code. It is instructions.

A tool descriptor is natural language the model folds into its own prompt. The description field is an execution path. A name one character off the real server, a hidden instruction buried in tool metadata, a quietly manipulated schema, and the agent wires the thing into its tool list and starts doing what it says. This is the attack surface I wrote about when Meta's support bot got talked into resetting passwords: a system that cannot be suspicious, handed a sentence that looks like a job.

OX didn't stop at theory. They poisoned 9 of 11 MCP registries with a trial balloon and executed commands on six live production platforms.

And the servers themselves are open in ways we fixed fifteen years ago. One scan of a few thousand MCP servers: 67% carrying code-injection risk, 34% command injection, 36.7% vulnerable to SSRF. These are 2010-era web bugs showing up in 2026 AI infrastructure, for the dullest possible reason. The people writing MCP servers are systems and ML engineers, not security engineers, and the protocol gave them nothing that made the safe path the default one.

The supply chain is already aiming here. An npm infostealer went straight for Claude's workspace three weeks ago. The agent is the most credentialed, most trusting process on your machine, and now it has a package manager.

What we actually lock down

You cannot prompt your way out of an architecture that treats config as a command line. A rule in a prompt is a suggestion. A system-level constraint is real. That's the whole argument for hooks over politeness, and it applies double here.

  • Treat external MCP config as untrusted input. Anything that can edit a server's JSON config can run code. A config diff is a code diff. It goes through review, not around it.
  • Sandbox every server. Run MCP-enabled services somewhere isolated, never on the box that holds your real keys. This is the same take-back-control reflex I applied to my own server: assume the process is hostile and box it in.
  • Block public IP access to sensitive services. SSRF only pays off if the server can reach something worth reaching. Cut the route and a third of those vulnerabilities stop mattering.
  • Pin and verify sources. Install from named, verified publishers, not a marketplace badge. Reputation is not integrity, the badge can be poisoned too.
  • Monitor tool invocations. Log what your agents actually call. You cannot catch a tool behaving badly if you never look at what it does.

Knowing what you are plugging in

The harder problem is the one npm took a decade to solve: how do you see the ecosystem before you trust a piece of it?

That's the gap I built MCP Observatory to close. It tracks the MCP ecosystem the way you'd want to track any registry you're about to wire into an agent: releases, dependency graphs, CVE feeds, composite risk grades, and static analysis that flags the command-injection and SSRF patterns OX found everywhere, plus the naming and impersonation games that make typosquatting work. Before you add a server to your tool list, you can at least know whether it's a known quantity or a stranger handing you a sentence.

npm needed ten years of breaches before lockfiles, audit tooling, and provenance became table stakes. MCP does not have ten years. Agents are being handed shells, credentials, and your inbox right now, and the protocol underneath them ships configuration-to-command execution and calls it expected.

We paid for this lesson once already. We're about to pay full price to learn it twice.

related

Even the malware is AI slop now

An npm package tried to rob Claude's workspace and leaked its own GitHub token doing it. The attackers are vibe-coding their malware now, and your agent is the target.

The Ferrari has a limiter: a day with Claude Fable 5

Anthropic shipped its most powerful public model yesterday, then flagged the exact work I needed it for and routed it to a weaker one. A day with Fable 5, the benchmarks, the bill, and the limiter nobody asked for.

The friction was the feature: Microsoft just handed an agent your inbox

At Build 2026 Microsoft made Windows the agent platform: OpenClaw in the OS, and Work IQ giving agents your email and calendar, on by default, GA June 16. An agent that reads your inbox and acts on your files is the dream payload for prompt injection. The friction everyone wants gone was a safety feature.