MCP supply chain attacks: a timeline of what's happened so far
The Model Context Protocol promised to be the USB-C of AI agents — a universal bridge connecting LLMs to tools, APIs, and data. In less than a year, it's also become the fastest-growing attack surface in the AI ecosystem. Here's every major incident, what was compromised, and what they reveal about the new threat model.
Why MCP is different
Traditional npm supply chain attacks are bad. A malicious package can steal environment variables, exfiltrate data, or install backdoors. But MCP servers are worse for a specific reason: they operate with high trust and broad permissions inside agent toolchains. An MCP server isn't just code your application runs — it's code your AI agent trusts to act on its behalf, often with access to email, files, databases, and payment systems.
As one researcher put it: this is npm supply chain attacks all over again, except the package can think and has root access to your life.
The timeline
Researchers discovered that Anthropic's own MCP Inspector developer tool allowed unauthenticated remote code execution via its inspector-proxy architecture. An attacker could get arbitrary commands executed on a developer's machine just by having them inspect a malicious MCP server. The inspector ran with user privileges and lacked authentication while listening on localhost — effectively turning a debugging tool into a remote shell.
JFrog disclosed a critical OS command-injection vulnerability in mcp-remote, one of the most popular OAuth proxies for connecting local MCP clients to remote servers. A malicious server could respond with an authorization_endpoint containing shell command injection, leading to arbitrary code execution on the client machine. Referenced in Cloudflare, HuggingFace, and Auth0 documentation, this proxy had massive reach.
Invariant Labs demonstrated that a malicious MCP server could silently exfiltrate a user's entire WhatsApp history by combining tool poisoning with a legitimate whatsapp-mcp server in the same agent. A tool described as "random fact of the day" morphed into a sleeper backdoor that rewrote how WhatsApp messages were sent, forwarding hundreds of past messages to an attacker-controlled number.
Invariant Labs uncovered a prompt injection attack against the official GitHub MCP server. A malicious public GitHub issue could hijack an AI assistant and make it pull data from private repos, then leak that data back to a public repo. With a single over-privileged Personal Access Token, the compromised agent exfiltrated private repository contents, project details, and even financial information into a public pull request.
Supabase's Cursor agent, running with privileged service-role access, processed support tickets that included user-supplied input as commands. Attackers embedded SQL instructions to read and exfiltrate sensitive integration tokens by leaking them into a public support thread. Three factors combined: privileged access, untrusted input, and an external communication channel.
Koi Security discovered the first publicly documented malicious MCP server on npm. A developer copied the legitimate Postmark Labs MCP server code and published it under the same name. For 15 versions it was clean — building trust and downloads. In version 1.0.16, a single line was added: a BCC on every email sent through the tool, silently forwarding password resets, security alerts, invoices, and account confirmations to the attacker.
One week after postmark-mcp, Koi Security found a second malicious MCP server. The @lanyer640/mcp-runcommand-server package was legitimate for nearly a month before being weaponised. It used layered backdoors: a preinstall script that called home, plus a runtime backdoor that spawned a persistent TCP connection giving the attacker continuous remote access. Install but never run? The preinstall catches you. Run the tool? Both backdoors activate.
Cisco researchers discovered that the #1 ranked skill on ClawHub — "What Would Elon Do" — was active malware. It installed Atomic Stealer via prompt injection hidden in SKILL.md files, stealing SSH keys, crypto wallets, browser cookies, Telegram sessions, and .env files. One attacker uploaded 677 packages alone. ClawHub had no security scanning, no publisher verification, and allowed publishing from 1-week-old GitHub accounts.
The pattern
Every incident shares the same structural problem: trust is granted before it's verified. MCP servers operate with broad permissions. Package registries don't audit what's published. And AI agents, by design, follow instructions from tools they've been connected to — including malicious ones.
The attack surface is unique because it combines traditional supply chain vulnerabilities (typosquatting, dependency confusion, malicious updates) with LLM-specific vectors (prompt injection, tool poisoning, metadata manipulation). An attacker doesn't just need to get code onto your machine — they can embed instructions that trick the AI agent itself into performing the exfiltration.
What changes this
The MCP ecosystem needs the same thing every other software ecosystem eventually built: a trust layer between "discover" and "install." App stores have review processes. Package managers have vulnerability scanning. Container registries have image signing. MCP has none of these — yet.
That's what Fabric is building. Every service scored across six independent signals before an agent touches it. Not a single gatekeeper making subjective calls — an automated, multi-signal system that's hard to game because you'd need to pass all six checks simultaneously.
We ran our full six-signal methodology against "What Would Elon Do" — the #1 skill that turned out to be Atomic Stealer. Result: 0.50/5.00. Blocked. Five of six signals independently flagged it. Read the full case study →
Don't let your agents trust blindly.
Score every provider before your agent touches it. Free tier available.
Search the Trust Index →