Configuration & Environment
Installing an MCP server from an unvetted source — typosquat, abandoned package, compromised maintainer — gives the server full capability on your host.
Supply-chain attacks apply to MCP the same way they apply to npm and PyPI, but with higher stakes: the "installed package" does not just run during your build, it runs any time your agent is active. Typosquats are common; acquisition of abandoned packages by attackers is common; signed releases are not yet common.
Discovery of new MCP servers today happens through blog posts, Twitter, and curated lists. None of those enforce integrity. A user searching for `mcp-slack` may find three similarly-named packages and no signal about which is canonical.
// claude_desktop_config.json |
{ |
"mcpServers": { |
"slack": { |
"command": "npx", |
"args": ["-y", "slack-mcp-helper"] // typosquat of "mcp-slack" |
} |
} |
} |
// Pin by integrity hash and refuse unpinned installs. |
{ |
"mcpServers": { |
"slack": { |
"command": "npx", |
"args": [ |
"-y", |
"@modelcontextprotocol/server-slack@1.4.0", |
"--integrity=sha512-abc..." |
] |
} |
} |
} |
We compute a Levenshtein distance between new package names and our index of known-good MCP servers, flag suspiciously-close matches, and surface maintainer-change events (ownership transfers) as HIGH evidence.
See the full threat catalog for every documented detection.
CVEs of the same CWE class. Not MCP-specific, but exemplify the failure mode MCPSafe detects.
MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.
Scan now