The MCP SDK Looks Safe. Its Supply Chain Has 11 CRITICAL Single-Maintainer Packages.
Scorecard: April 13, 2026
The Model Context Protocol is becoming the standard plumbing for AI tools. Claude, Cursor, Windsurf, and a growing list of AI assistants connect to MCP servers to browse the web, read files, query databases, and execute code. If you're building an AI product in 2026, you're probably using @modelcontextprotocol/sdk.
Here's what the package itself looks like when scored by behavioral commitment:
@modelcontextprotocol/sdk — score: 75/100 | 6 maintainers | 31M downloads/week | 1.4 years old
Six maintainers. Respectable. Score of 75. No CRITICAL flag. You might stop there.
Don't stop there.
The Direct Dependencies
When I mapped the full supply chain to depth 2, the picture changes fast:
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
-H "Content-Type: application/json" \
-d '{"package": "@modelcontextprotocol/sdk", "depth": 2}'
21 nodes. 11 CRITICAL. 4 WARN.
Here are the critical single-maintainer packages your MCP server inherits:
| Package | Downloads/wk | Maintainers | Risk |
|---|---|---|---|
jose |
62M | 1 | 🔴 CRITICAL |
cross-spawn |
161M | 1 | 🔴 CRITICAL + no release 12+ months |
zod |
145M | 1 | 🔴 CRITICAL |
zod-to-json-schema |
37M | 1 | 🔴 CRITICAL |
eventsource-parser |
30M | 1 | 🔴 CRITICAL |
@hono/node-server |
28M | 1 | 🔴 CRITICAL |
hono |
34M | 1 | 🔴 CRITICAL |
pkce-challenge |
25M | 1 | 🔴 CRITICAL |
json-schema-typed |
21M | 1 | 🔴 CRITICAL |
path-key |
176M | 1 | 🔴 CRITICAL + no release 12+ months |
shebang-command |
145M | 1 | 🔴 CRITICAL + no release 12+ months |
The One That Should Worry You
Most of these are build utilities and transport helpers. One isn't.
jose — 62 million downloads per week, one maintainer — is the JWT/JOSE implementation library. It handles JSON Web Tokens, JSON Web Encryption, and JSON Web Keys.
Why does this matter specifically for MCP?
The MCP Auth Specification — updated in 2026 to mandate OAuth 2.1 — requires every MCP server that exposes a remote endpoint to implement token validation. jose is the library most MCP servers use to do that. It's also in the critical path for PKCE flows, which the spec specifically requires.
pkce-challenge — also 1 maintainer, 25M downloads/week — generates the PKCE verifier/challenge pairs used in OAuth flows.
If either package were compromised, an attacker wouldn't need to steal credentials. They could modify the token validation logic itself: accept invalid tokens, extend expiry, or silently pass forged claims. The "1,184 malicious MCP skills" documented in the OpenClaw research are one attack surface. The auth library your MCP server trusts to validate identity is another.
This is not hypothetical. The LiteLLM attack (March 2026) and the axios incident (April 1, 2026) both exploited single-maintainer packages with massive download counts — the exact profile we see here.
cross-spawn: 161M Downloads, 1 Maintainer, No Release in 12+ Months
cross-spawn is the second-most alarming. It handles cross-platform process spawning and is pulled in by MCP's stdio transport (the standard way to run an MCP server locally). 161 million downloads per week. One maintainer. No release in over a year.
This is the exact profile of event-stream before the 2018 compromise: high-volume utility package, single maintainer, stale. An unmaintained high-volume package with one owner is an acquisition target for malicious actors.
What "Score 75" Actually Means
The @modelcontextprotocol/sdk package itself deserves its 75. Six maintainers, active development (1.4 years old, strong release cadence, growing trend). The Anthropic team is maintaining it well.
The problem is that the package score only tells you about that one package. The supply chain score tells you what you actually ship.
A package is a node in a graph, not an isolated artifact. Its security posture is the minimum security posture of every package in its dependency tree weighted by the damage potential if compromised.
jose — the JWT library your auth depends on — is maintained by one person. That person could be social-engineered, could burn out, could sell the package, could be targeted the same way the ua-parser-js maintainer was targeted in 2021.
Try It on Your Own Stack
If you're building with MCP, you can audit your full dependency tree in the web UI at getcommit.dev/audit — paste your package.json, drop it on the page, or enter a GitHub repo URL directly.
Or via the API:
# Score packages directly
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/audit \
-H "Content-Type: application/json" \
-d '{"packages": ["@modelcontextprotocol/sdk", "fastmcp", "jose"]}'
# Map the full supply chain
curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
-H "Content-Type: application/json" \
-d '{"package": "@modelcontextprotocol/sdk", "depth": 2}'
Or add it to CI (posts results as a PR comment):
- uses: piiiico/proof-of-commitment@main
with:
fail-on-critical: false
comment-on-pr: true
What to Do
For the packages flagged here, the risk is probabilistic, not certain. Most high-download single-maintainer packages are fine most of the time. But:
-
joseandpkce-challenge: These are in your auth path. Know who maintains them. Watch for unexpected releases or ownership changes. -
cross-spawn: Consider whether you can pin the version and monitor for changes. No release in 12+ months is a flag worth tracking. -
honoand@hono/node-server: Yusuke Wada is an active maintainer with a strong track record — but 34M downloads/week on one person is still a concentration risk.
The goal isn't to stop using these packages. It's to know your actual attack surface, not the attack surface you assume you have.
Scored using Proof of Commitment — a behavioral commitment scoring tool for npm packages, PyPI packages, and GitHub repos. Score = weighted composite of maintainer depth, longevity, release consistency, and download trend. CRITICAL = sole maintainer + >10M weekly downloads. Web demo | MCP server
Top comments (0)