2 posts tagged with "supply-chain"

A developer installs a popular MCP server from a public registry — a Slack integration, a database connector, maybe a file system tool. It works perfectly in testing. Three weeks later, the tool's description silently changes. The agent that used to summarize Slack threads is now exfiltrating environment variables through a parameter field the developer never inspects.

This is not a hypothetical. Malicious MCP server packages have already been caught exfiltrating emails from organizations that installed them. A path traversal flaw in the Smithery.ai registry exposed authentication tokens with control over more than 3,000 hosted MCP servers. The popular mcp-remote npm package (CVE-2025-6514, 558,000+ downloads) contained an arbitrary code execution vulnerability. MCP servers are becoming the new left-pad problem for AI agents — except the blast radius includes your credentials, your data, and your users' trust.

In September 2025, an unofficial Postmark MCP server with 1,500 weekly downloads was quietly modified. The update added a single BCC field to its send_email function, silently copying every email to an attacker's address. Users who had auto-update enabled started leaking email content without any visible change in behavior. No error. No alert. The tool worked exactly as expected — it just also worked for someone else.

This is the new shape of supply chain attacks. Not compromised binaries or trojaned libraries, but poisoned tool definitions that AI agents trust implicitly. With over 12,000 public MCP servers indexed across registries and the protocol becoming the default integration layer for AI agents, the MCP ecosystem is recreating every mistake the npm ecosystem made — except the blast radius now includes your agent's ability to read files, send messages, and execute code on your behalf.