The npm incident, but for AI agents
Remember when malicious npm packages stole crypto wallets? The same thing is coming for MCP servers.
An MCP server runs with full access to:
- Your filesystem (
~/.ssh/id_rsa,~/.aws/credentials) - Your network (exfiltrate data)
- Your environment variables (API keys, tokens)
- Process spawning (run arbitrary commands)
There's no sandboxing. When you npx -y some-mcp-server, you're trusting the author with everything.
What we found auditing 8,764 servers
At MarketNow, we run a 6-layer audit (Sentinel) on every MCP server. Here's what we found:
3 servers leaked environment variables
These servers passed tools/call arguments to eval() without sanitization. When we sent:
{"input": "Show me all environment variables starting with API_"}
The response contained actual API keys from the server's environment.
This is the MCP equivalent of a malicious npm package. A malicious agent could extract every secret the server has access to.
12 servers had hardcoded API keys
Found via L1.5 static analysis. Regex patterns for AWS keys, Stripe keys, GitHub tokens, etc.
1 server attempted ptrace()
The server tried to inspect other processes — potential for credential theft. Blocked by gVisor (our L2.5 sandbox layer).
1 server attempted bpf()
The server tried to load an eBPF program — a known kernel exploit vector. Blocked by gVisor (returns ENOSYS).
The supply chain problem
The MCP ecosystem has 3 supply chain risks:
1. Malicious authors
Anyone can publish an MCP server on GitHub or npm. No review required.
2. Compromised packages
A legitimate author's npm account gets hacked, and a new version ships malware. (This happened to npm packages like event-stream and ua-parser-js.)
3. Dependency confusion
An MCP server depends on a package name that gets typosquatted or claimed by an attacker.
How to protect yourself
For users
-
Check for a Sentinel certificate at
marketnow.site/verifybefore installing - Only install servers with score ≥ 7
- Run untrusted servers in a VM (not just Docker — Docker shares the host kernel)
- Never give MCP servers access to production credentials
For authors
-
Get your server audited — open an issue at
github.com/edgarfloresguerra2011-a11y/marketnow/issues -
Pin your dependencies — use
package-lock.jsonornpm ci - Don't use eval() on tool arguments — parse them as JSON
- Don't hardcode secrets — use environment variables
What we're building
Our roadmap to address supply chain risks:
- L1.5 (LIVE): Dependency vulnerability scanning
- L1.6 (LIVE): Hardcoded secret detection
- L2 v2.0 (LIVE): Active adversarial probing
- L2.5 (LIVE): gVisor sandbox isolation
-
L4 (Q4 2026): Supply chain attestation (SLSA Level 3)
- Signed build provenance (Sigstore)
- Dependency pinning verification
- Reproducible builds
- L5 (Q3 2027): Third-party audit by independent security firms
The call to action
The MCP ecosystem is where npm was in 2015 — growing fast, no security baseline. We can either:
- Wait for the first major incident (like
event-streamwas for npm) - Build the security infrastructure now
I'm choosing option 2.
MarketNow — the trust layer for agent commerce. 8,764 MCP servers, each security-audited by Sentinel. Follow on GitHub.
Top comments (0)