MCP Has a Supply Chain Problem

Source: Dev.to

In 2018 the event‑stream npm package received a malicious update that targeted a specific Bitcoin wallet, resulting in millions of compromised downloads. MCP is heading down the same path—only faster.

Config most users have

If you’ve used Claude Desktop, Cursor, or any MCP client, your configuration probably looks like this:

{
  "mcpServers": {
    "my-tool": {
      "command": "npx",
      "args": ["-y", "some-mcp-server"]
    }
  }
}

The -y flag means “install without asking.” No version is pinned, so every time the agent starts it pulls the latest version from npm. If the package is compromised tomorrow, the agent will automatically run the compromised version.

We identified 502 MCP server configurations doing exactly this across the registries we monitor.

What we scanned

Aguara Watch crawls every major MCP registry (skills.sh, ClawHub, PulseMCP, mcp.so, LobeHub, Smithery, Glama), covering over 42 000 tools with 148 detection rules. Scans run incrementally every six hours.

Patterns we found

Pattern 1: No version pins

// What most configs look like
"args": ["-y", "some-mcp-server"]

// What they should look like
"args": ["-y", "some-mcp-server@1.2.3"]

502 MCP servers reference npx packages without pinning a version, allowing silent upgrades to compromised or malicious releases.

Pattern 2: Remote servers with no verification

1 050 configurations point to non‑localhost remote URLs. The protocol lacks built‑in server authentication, certificate pinning, or any way for the client to verify that https://mcp.some-service.com is actually run by the expected party.

Pattern 3: Auto‑install without confirmation

448 configurations use auto‑install flags that bypass user confirmation. Combined with missing version pins, this creates a fully automated pipeline from a compromised npm package to code execution on the user’s machine—no prompt, no hash check.

Pattern 4: Mutable external content

467 tools reference raw GitHub URLs (e.g., https://raw.githubusercontent.com/user/repo/main/config.yaml). Because the URL points to a mutable branch, the tool can execute whatever content is present at the time of download. Commit‑pinned URLs would mitigate this, but they are rarely used.

Pattern 5: Package managers inside tools

• 1 679 tool definitions include pip install commands for arbitrary Python packages.
• 742 definitions include system package manager calls (apt-get install, brew install).

These commands run with whatever permissions the agent process has, effectively allowing the tool to install software on the host machine.

The numbers

These are not theoretical vulnerabilities; they are active patterns in production MCP server listings.

What you can do

1. Pin your versions

"args": ["-y", "some-mcp-server@1.2.3"]

A couple of seconds of work eliminates an entire class of supply‑chain attacks.

2. Scan your MCP configs

curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
aguara scan --auto

Aguara automatically discovers Claude Desktop, Cursor, Windsurf, and other MCP client configs and scans them against 148 rules tuned on more than 42 000 real tools.

3. Read what your tools do

Inspect tool definitions: look at the commands they run, the URLs they contact, and the packages they install. If a “weather” tool invokes subprocess.run(), something is likely wrong.

The parallel with npm

npm went through a similar cycle: rapid adoption, minimal review, supply‑chain attacks, then the introduction of lockfiles and audits as standard defenses. MCP is currently in the rapid‑adoption phase, but unlike npm packages that run in sandboxed browser tabs, MCP tools execute directly in your shell with access to your file system and credentials. The potential blast radius is your entire machine.

We can break the cycle by learning from npm’s experience.

Aguara is open‑source (Apache‑2.0). The observatory is live. If you run MCP servers, scan your configurations—you might be surprised by what you find.