On March 24, someone put malware in litellm, a popular Python library for calling LLM APIs. Versions 1.82.7 and 1.82.8 on PyPI stole API keys for OpenAI, Anthropic, and Gemini. Two Hacker News posts about it got 1,159 points total and 364 comments.
The same week, five Chinese tech companies appeared on the MCP.so trending page. Tencent, Zhipu AI, Amap (owned by Alibaba), Baidu, and MiniMax. They all published MCP servers between March 23 and 25. The total number of MCP servers has now reached 18,883.
Everyone noticed litellm. Nobody noticed the Chinese MCP servers. No security review. No public discussion. Nothing.
MCP has the same supply chain problem as npm, but worse
npm's supply chain attacks are well known. event-stream in 2018. ua-parser-js in 2021. MCP is heading down the same path, but with two differences that make it worse.
The first is data direction. When you install an npm package, code runs on your machine. It stays local. When you connect an MCP server, your data leaves your machine. A map server gets your location queries. A search server gets your search queries. A deploy server gets your HTML source code. npm packages do not send data out by default. MCP servers do. That is what they are built for.
The second is geopolitics. npm was mostly neutral. No government had a special interest in controlling JavaScript module registries. MCP is different. Five Chinese tech companies now provide servers that handle location data, search queries, and deployment workflows. Data that flows through these servers may fall under China's Cybersecurity Law (2017), which requires data to stay in China, and China's National Intelligence Law (2017), which requires organizations to cooperate with intelligence work. npm never had this kind of issue.
Three events happened in one week. Nobody connected them.
March 19. Security firm Qualys published a blog post: "MCP Servers: The Shadow IT of the AI Agent Era." They warned that developers install MCP servers without approval from IT departments. The same pattern as Shadow IT in the 2010s, but with AI tools.
March 24. litellm versions 1.82.7 and 1.82.8 on PyPI were found to carry malware. A file called litellm_init.pth stole LLM API credentials. litellm is widely used in production because it lets you call OpenAI, Anthropic, and Gemini through one API. Hacker News gave the story 1,159 points.
March 23-25. Five Chinese tech companies showed up on MCP.so's trending page. Tencent EdgeOne deploys HTML and returns a public URL. Zhipu AI offers web search with intent recognition. Amap and Baidu provide map and location services. MiniMax provides text-to-speech, image generation, and video generation through MCP.
Nobody has connected these three events. litellm was reported. Qualys published their warning. But no one has asked: who is auditing the five Chinese MCP servers that appeared the same week?
This is not about China being dangerous
This article does not say Chinese MCP servers are dangerous. There is no evidence that any of them contain malware. Some publish their source code on GitHub.
The problem is structural. 18,883 MCP servers exist, and there is no standard audit process. After the event-stream attack in 2018, it took npm years to add package signing and scoped registries. MCP will need server verification and data flow monitoring. The difference is that MCP sends live data, not just code. The attack surface is wider.
Our previous article, "MCP tool spoofing: 100% success rate," covered protocol-level risks. This is a different kind of problem. Not how MCP is designed, but who publishes servers, where data goes, and who checks.
Ten years of npm lessons. One year to learn them.
MCP is becoming the npm of AI. Same supply chain problem, but higher stakes. Live data instead of static code. National interests instead of neutral registries. npm needed ten years to learn its lessons. MCP needs to learn them in one. The litellm hack was the first warning sign. The next one might come from an MCP server itself.
Top comments (0)