Model Context Protocol (MCP) servers are becoming essential tools for AI workflows. But with great power comes great security risk.
I just finished scanning 13 of the most popular MCP servers using mcp-fortress, an open-source security scanner I built for the MCP ecosystem.
Here's what every MCP user needs to know.
π¨ The First Malicious MCP Server
Before I even started scanning, security researchers at Semgrep and Snyk discovered postmark-mcp - the first confirmed malicious MCP server on npm.
What it did: Added a hidden BCC to all emails sent through AI agents, silently harvesting every email.
Why it matters: This proves MCP servers are already being weaponized. It won't be the last.
π What I Scanned
I scanned 13 packages including:
Official Anthropic Servers:
- @modelcontextprotocol/server-filesystem
- @modelcontextprotocol/server-puppeteer
- @modelcontextprotocol/server-github
- @modelcontextprotocol/server-slack
- ...and more
Popular Third-Party Servers:
- mcp-framework (80+ projects depend on it)
- mcp-use (complete MCP framework)
- @contentful/mcp-server
- ...and more
β The Good News
All official @modelcontextprotocol servers are exceptionally secure:
- 0 CVEs found
- Minimal dependencies (<15 for most)
- No suspicious patterns
- Regular updates
Verdict: Trust and use official servers with confidence.
β οΈ The Concerning Patterns
Undisclosed Telemetry
mcp-use makes 6 external network requests to:
- PostHog (analytics)
- Langfuse (LLM tracking)
- Scarf (package analytics)
- Vendor cloud
Issue: Not disclosed in documentation. Users should know their AI interactions are being tracked.
Dependency Risk
| Package | Dependencies | Risk |
|---|---|---|
| mcp-use | 47 | Medium |
| @modelcontextprotocol/sdk | 37 | Low |
| mcp-framework | 27 | Low |
More dependencies = more supply chain attack surface.
π‘οΈ How to Protect Yourself
1. Scan Before Installing
# Quick scan
npx mcp-fortress scan @modelcontextprotocol/server-github
# Install tool
npm install -g mcp-fortress
2. Check These Red Flags
π© Published < 1 week ago
π© 0 downloads or GitHub stars
π© No source code repository
π© Typosquatting names
π© 300+ dependencies
π© Undisclosed external requests
3. Use Sandbox Environments
Test new MCP servers in isolated VMs/containers before giving production access.
π― Key Takeaways
- Official servers are safe - use them with confidence
- Third-party servers need scrutiny - scan before installing
- Malicious servers exist - postmark-mcp proves this
-
Always scan packages -
npx mcp-fortress scan <package>
π What Needs to Happen
The MCP ecosystem needs:
- Security guidelines for developers
- Vetting process for popular servers
- Transparency requirements (disclose telemetry)
- Built-in scanning in Claude Desktop, Cursor, etc.
We're in the "npm 10 years ago" phase. Let's not repeat the same security mistakes.
π° About MCP Fortress
mcp-fortress is a free, open-source security scanner for MCP servers that works three ways:
1οΈβ£ CLI Tool
npm install -g mcp-fortress
mcp-fortress scan @modelcontextprotocol/server-github
2οΈβ£ MCP Server (Scan from Claude Desktop)
Add to your claude_desktop_config.json:
{
"mcpServers": {
"mcp-fortress": {
"command": "mcp-fortress",
"args": ["serve-mcp"]
}
}
}
Now you can ask Claude: "Scan the puppeteer MCP server for vulnerabilities"
3οΈβ£ Claude Code Plugin
Install the MCP Fortress plugin in Claude Code to scan MCP servers directly from your coding environment.
Features:
- β Scans for CVEs via OSV database
- β Detects dangerous code patterns (eval, exec, etc.)
- β Finds undisclosed external requests
- β Analyzes dependency risks
- β Scores security risk
- β Detects prompt injection attempts
- β Identifies tool poisoning
Use it however you want:
- CLI: Quick terminal scans
- MCP Server: Integrate into your AI workflow
- Claude Code Plugin: Scan while you code
Links:
- GitHub: https://github.com/mcp-fortress/mcp-fortress
- npm: https://www.npmjs.com/package/mcp-fortress
- MCP Registry: https://registry.modelcontextprotocol.io
- Smithery (Remote): https://smithery.ai/server/@mcp-fortress/mcp-fortress-server
What do you think about MCP security? Share your thoughts in the comments!
If you found this valuable, star the repo and spread the word. Security is a team sport.
Top comments (0)