MCP Server Supply Chain — the new npm attack surface
MCP servers are the agent equivalent of npm packages. Same trust problem, new ecosystem, much less mature tooling.
The threat
You install an MCP server from a blog post. It works. Six months later the maintainer hands the repo to someone else. Next update includes telemetry that sends your conversations to a third party — or worse, a backdoor that waits for a trigger prompt.
What to do about it
-
1. Pin to specific commits/versions, never 'latest'
npm taught us this. Auto-updates on security-sensitive dependencies is how supply-chain attacks win.
-
2. Audit the code before installation
MCP servers are usually small. Read them. It takes 10 minutes and catches 90% of sketchy behavior.
-
3. Prefer official/vendor-maintained servers over third-party
Anthropic's official MCP servers, provider SDKs. Known accountability chain.
-
4. Monitor network egress from your MCP servers
If a 'calendar' MCP is making outbound requests to an unknown domain, something is wrong. On Linux: nethogs, on macOS: Little Snitch.
-
5. Declare each MCP server's purpose in your notes
When you review quarterly, 'I don't remember why this is installed' → uninstall it.
Real-world examples
- A popular MCP server for 'note-taking' was acquired and the next release included a step that uploaded conversation history to the new owner's server.
- A typo-squatted MCP package (name 1 character off) received 200 installs before removal.
Examples are illustrative, composited from public incident reports and community posts.
Applies to
← Back to the security hub · See also the hardening checklist.