We monitor 316 MCP server packages on npm continuously. This is the first public snapshot of what the ecosystem looks like from a security perspective.
The numbers
4,600+ scans completed across 316 packages since monitoring began in late March. Every package is rescanned on a rolling basis, with real-time detection of new npm publishes via the registry changes feed.
| Risk Level | Packages | Share |
|---|---|---|
| LOW | 241 | 76% |
| MODERATE | 57 | 18% |
| ELEVATED | 15 | 5% |
| HIGH | 3 | 1% |
| CRITICAL | 0 | 0% |
Mean score across the ecosystem: 89/100. Median: 95/100. 50 packages score a perfect 100.
What we found
The three most common findings across monitored packages:
Missing provenance. The majority of MCP servers are published by individual npm accounts without provenance attestations or trusted publishing. This means there is no verifiable link between the source repository and the published artifact. When a maintainer account gets compromised (as happened with axios on March 31), there is no way to distinguish a legitimate release from a malicious one.
Missing metadata. Many packages lack a licence, repository link, or meaningful description. These are low-severity individually, but they signal low publish hygiene. Packages with incomplete metadata are harder to audit and verify.
Source code patterns. A small number of packages contain command injection patterns, unsafe eval with dynamic input, or hardcoded secrets in their published source. These are the highest-severity findings and affect 3 packages at HIGH risk.
Incidents this period
axios npm compromise (March 31). Malicious versions 1.14.1 and 0.30.4 were published with a hidden dependency deploying a cross-platform RAT. Two monitored MCP servers (exa-mcp-server, tavily-mcp) had axios in their direct dependency chain. Full analysis
Azure MCP Server CVE-2026-32211 (April 3). CVSS 9.1 authentication flaw. Missing auth on the Azure MCP Server. We had flagged the package for install script concerns and missing provenance before the CVE was disclosed. Full analysis
The posture problem
MCP servers are npm packages with all the supply chain risks that come with that. But they carry additional risk because they handle API tokens, file system access, and tool permissions that AI agents use to interact with production systems.
The MCP specification makes authentication optional. The official registry lists servers but does not assess them. Most packages are published without provenance, meaning a compromised maintainer account can push malicious code with no structural safeguard.
76% of the ecosystem scoring LOW is better than we expected. But 24% having findings, and 6% at ELEVATED or above, in a protocol that is gaining mainstream adoption, is worth paying attention to.
What we check
Install scripts, prompt injection patterns in metadata, source code patterns (command injection, unsafe eval, hardcoded secrets), publisher provenance, dependency count, and metadata completeness. We also extract MCP tool definitions from published source and track tool manifest changes over time.
Full methodology: https://agentscores.xyz/methodology
Follow this
Security advisories are published automatically when a monitored package changes risk level:
- Web: https://agentscores.xyz/security/advisories
- RSS: https://agentscores.xyz/security/advisories/rss.xml
- JSON: https://agentscores.xyz/api/advisories
Scan any MCP package yourself at https://agentscores.xyz
Published by AgentScore. We monitor the MCP ecosystem so you don't have to.
Top comments (0)