I scanned 200 popular MCP server packages. Here is what I found.
A recent analysis of 200 popular MCP server packages revealed significant security vulnerabilities. The findings included a high-severity bug affecting over 2,600 instances and the discovery of hardcoded API keys in some packages. Additionally, several official MCP servers have been abandoned, raising concerns about their reliability in production environments.
- ▪The MCP ecosystem is growing rapidly, but supply-chain hygiene is lagging behind.
- ▪The scanner identified 138 packages that passed the security checks, while 58 received warnings and 3 were blocked.
- ▪Six official MCP servers have not been updated for over 500 days, making them potentially unreliable.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3937149) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } weiseer Posted on May 30 • Originally published at github.com I scanned 200 popular MCP server packages. Here is what I found. #mcp #security #supplychain #opensource The MCP ecosystem has been growing fast, but the supply-chain hygiene has not kept up. MCPwn (CVE-2026-33032, CVSS 9.8) exposed 2,600+ instances. The Shai-Hulud npm worm stole MCP auth tokens from 172 packages. MCPSafe found high-severity bugs in official MCPs from Atlassian, GitHub, Cloudflare, and Microsoft.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
