In 2018 the event-stream npm package got a malicious update that targeted a specific Bitcoin wallet. Millions of downloads. One compromised maintainer.
MCP is heading down the same path, just faster.
The config everyone has
If you've used Claude Desktop, Cursor, or any MCP client, your config probably looks like this:
{
"mcpServers": {
"my-tool": {
"command": "npx",
"args": ["-y", "some-mcp-server"]
}
}
}
That -y flag means "install without asking." No version pin. Every time your agent starts, it pulls whatever version is latest from npm. If the package gets compromised tomorrow, your agent runs the compromised version automatically.
This is not theoretical. We found 502 MCP server configurations doing exactly this across the registries we monitor.
What we scanned
Aguara Watch crawls every major MCP registry: skills.sh, ClawHub, PulseMCP, mcp.so, LobeHub, Smithery, Glama. Over 42,000 tools. 148 detection rules. Incremental scans every 6 hours.
Here's what the data shows.
Pattern 1: No version pins
// What most configs look like
"args": ["-y", "some-mcp-server"]
// What they should look like
"args": ["-y", "some-mcp-server@1.2.3"]
502 MCP servers reference npx packages without pinning a version. Your agent silently pulls whatever is latest. A compromised update, a typosquatted package, or a dependency confusion attack would be invisible.
npm learned this lesson years ago. MCP hasn't.
Pattern 2: Remote servers with no verification
1,050 MCP configurations point to non-localhost remote URLs. Your agent sends tool calls and their arguments to a server you don't control, over a connection you can't inspect.
Some are legitimate cloud services. But the protocol has no built-in server authentication. No certificate pinning. No way for the client to verify that https://mcp.some-service.com is actually run by who you think it is.
Pattern 3: Auto-install without confirmation
448 configurations use auto-install flags that bypass user confirmation. Combined with no version pin, this creates a fully automated pipeline from "compromised package on npm" to "code running on your machine."
No prompt. No hash check. It just runs.
Pattern 4: Mutable external content
467 tools reference GitHub raw URLs for configuration or instructions. These URLs change when the branch changes. A tool that loads instructions from raw.githubusercontent.com/user/repo/main/config.yaml will execute whatever that file contains today, even if it was different yesterday.
Commit-pinned URLs fix this. Almost nobody uses them.
Pattern 5: Package managers inside tools
1,679 tool definitions include pip install commands for arbitrary packages. 742 include system package manager calls (apt-get install, brew install). These run with whatever permissions the agent process has.
Your agent can install software on your machine. Not as a bug. As a feature the tool description explicitly requests.
The numbers
| Finding | Count |
|---|---|
| npx without version pin | 502 |
| Non-localhost remote MCP server | 1,050 |
| Auto-install without confirmation | 448 |
| Mutable GitHub raw URLs | 467 |
| pip install arbitrary package | 1,679 |
| System package manager install | 742 |
| Total findings across all rules | 19,830 |
| CRITICAL severity | 485 |
| HIGH severity | 1,718 |
These are not theoretical vulnerabilities. These are patterns running in production MCP server listings right now.
What you can do
1. Pin your versions.
"args": ["-y", "some-mcp-server@1.2.3"]
Two seconds of work. Eliminates an entire class of supply chain attacks.
2. Scan your MCP configs.
curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
aguara scan --auto
Aguara finds your Claude Desktop, Cursor, Windsurf, and other MCP client configs automatically and scans them against 148 rules tuned on 42,000+ real tools.
3. Read what your tools do.
Check the tool definitions. Look at what commands they run, what URLs they hit, what packages they install. If a "weather" tool needs subprocess.run(), something is wrong.
The parallel
npm went through this exact cycle: rapid adoption, minimal review, supply chain attacks, then lockfiles and audits became standard.
MCP is in the rapid adoption phase. The difference is that MCP tools don't run in a sandboxed browser tab. They run with your shell, your file system, your credentials. The blast radius is your entire machine.
We don't need to repeat the same cycle. We can learn from it.
Aguara is open-source (Apache-2.0). The observatory is live. If you're running MCP servers, scan your configs.
You might be surprised what's in there.
Top comments (0)