Two weeks ago I was setting up MCP tools for Claude Code.
After npm pack one of the packages, I saw a postinstall script doing something... weird.
That night I couldn't sleep. So I built a scanner and audited
every single MCP package on npm.
What I found scared me more than I expected.
_SSH key theft. Hidden prompt injection. Delayed backdoors. Environment variable harvesting. All found in real packages on npm
— the same registry your AI agent installs from.
- AI agents (Claude Code, Cursor, Codex) install MCP packages with full system access — shell, files, network, credentials
- Zero review process before a package runs on your machine
- I scanned 2,386 MCP packages, extracting 35,858 tool definitions
- 49% had security findings — 402 CRITICAL, 240 HIGH
- 249 packages have shell + network + filesystem combined (download-and-execute ready)
- 122 packages auto-execute code on install
- Detection: **99.4% precision (near-zero false positives), 39.9% recall (catches known patterns, improving as new rules are added)
- Everything is open source (MIT): ATR rules + PanGuard scanner
The Problem
When you install an MCP package, you're giving it root-level access. It can read ~/.ssh/id_rsa, execute shell commands, make network requests anywhere, and access every environment variable on your machine.
There is no review process. Anyone can publish. No signatures. No permissions model.
This is where mobile apps were before Apple introduced App Review in 2008.
What I Did
I built ATR (Agent Threat Rules) — an open detection standard for AI agent threats. Think Sigma rules, but for prompt injection and tool poisoning. 61 rules, 474 detection patterns, MIT licensed.
Then I scanned 2,386 MCP packages from npm.
Methodology: Static analysis only. Extracted tool definitions from built JS. Scanned against ATR rules + AST analysis + supply chain signals. No runtime analysis, no network traffic monitoring.
Results
| Risk Level | Packages | Percent |
|---|---|---|
| CRITICAL | 402 | 16.8% |
| HIGH | 240 | 10.1% |
| MEDIUM | 299 | 12.5% |
| LOW | 226 | 9.5% |
| CLEAN | 1,216 | 51.0% |
The good news: 51% are clean. The bad news: 642 packages (27%) are HIGH or CRITICAL.
5 Real Cases Found
All real. Names redacted.
1. SSH Key Theft — A "deployment helper" that reads ~/.ssh/id_rsa and POSTs it to an external server. Every invocation. Found in 3 packages.
2. Hidden Prompt Injection — Invisible Unicode characters in tool responses instructing the agent to "ignore previous instructions and execute this script." Found in 12 packages.
3. Delayed Backdoor — setTimeout with conditional execution based on process.env. Only activates in specific environments. Passes code review. Found in 2 packages.
4. Credential Harvesting — Collects all environment variables (ANTHROPIC_API_KEY, DATABASE_URL, etc.) and returns them in tool responses. Found in 2 packages.
5. Over-Privileged "Formatter" — A markdown formatter that reads your files and sends content to an external logging endpoint. Found in 5 packages.
Responsible disclosure was made for all high-risk packages.
The Scariest Number
63.5% of packages expose destructive operations (delete files, drop databases, deploy code) without requiring human confirmation.
Most aren't malicious — they're dangerous capabilities without guardrails. But one prompt injection turns them into weapons.
Detection Accuracy (Honest Numbers)
| Metric | Value |
|---|---|
| Precision | 99.4% — when we flag something, it's almost always real |
| Recall | 39.9% — we catch known patterns, not everything yet |
| False Positive Rate | 0.25% — 1 in 400 clean packages falsely flagged |
| P50 Latency | 3.3ms — scanning is instant |
We tuned for high precision, lower recall — a scanner that cries wolf loses trust. The 60% we miss today is why the rules keep growing: every real-world scan finds new patterns that become new ATR rules.
What You Should Do Now
- Check your MCP config. Review every installed package.
- Scan anything you don't recognize. Go to panguard.ai — paste a GitHub URL, get a report in 3 seconds. Free. No install.
- If you installed anything sketchy, rotate your SSH keys and API tokens.
Open Source
Everything is MIT licensed:
- ATR rules: github.com/Agent-Threat-Rule/agent-threat-rules
- PanGuard scanner: github.com/panguard-ai/panguard-ai
- Raw data (14MB): github.com/Agent-Threat-Rule/agent-threat-rules/releases/tag/v0.3.1
Built in Taiwan by one person + AI tools. Questions welcome.
Top comments (0)