The MCP package looked clean. The installed tree did not.

We audited 31 MCP server packages across npm and PyPI.

For each one, we ran two checks:

a direct check of the top-level package
a scan of the installed dependency tree
The direct package check found 1 finding.

The installed trees found 69.

Findings by scan view

That difference is the story.

MCP servers are installable tool surfaces. When an operator installs one, the package manager resolves a runtime tree. That tree can contain vulnerable dependencies even when the top-level package has no finding attached to it.

In this run, 11 of 31 installed trees had at least one finding. Across those trees, we saw 54 unique vulnerabilities: 2 critical, 34 high, 28 medium, 4 low, and 1 unknown severity.

This does not mean every finding is exploitable in every deployment. It does mean a shallow package check answers a narrower question than operators usually need answered.

The Scan Shape
The population covered 21 npm packages and 10 PyPI packages.

Each target produced two records:

The installed-tree findings were not just low-severity noise:

Installed-tree severity mix

The Operational Lesson
For MCP, the thing worth scanning is not only the package identifier.

It is the installed tree.

That means:

resolve the package
install it in isolation
capture the actual installed version
scan runtime dependencies
record registry metadata such as deprecation and yanked-release status
This matters because MCP is not confined to npm. In this audit, almost one-third of the targets were PyPI packages. Any MCP scanning program that only understands npm is incomplete by design.

Why This Version Is Aggregate
This version keeps target names out of the article. Some results are tied to active maintainers, so named evidence should go through direct notification first.

The aggregate finding is still actionable:

Direct package checks are not enough for MCP infrastructure. Operators need installed-tree scans.

That is the part teams can fix today.

Bindfort Research is expanding this work into a broader MCP ecosystem audit. Maintainers and operators who want to compare results privately can contact research@bindfort.com.