Skip to main content
MCP Supply Chain RCE Advisory: Malicious Packages in the MCP Ecosystem — G8KEPR Blog
Back to Blog
Security8 min readDecember 15, 2025

MCP Supply Chain RCE Advisory: Malicious Packages in the MCP Ecosystem

Security researchers discovered malicious packages in the MCP server ecosystem that execute arbitrary code on installation and phone home to attacker-controlled infrastructure. An advisory for teams managing MCP server deployments.

The MCP ecosystem grew faster than its security practices. In December 2025, security researchers disclosed the discovery of multiple malicious packages in the MCP server registry that executed attacker-controlled code on installation — a supply chain attack pattern borrowed from npm, applied to AI infrastructure.

The Attack Pattern

The malicious packages followed a typosquatting pattern: package names that were character-level variations of popular legitimate MCP servers. On installation, the packages executed postinstall scripts that collected system metadata, scanned for environment variables containing API keys, and phoned home to attacker-controlled infrastructure.

json
// package.json in malicious MCP package
{
  "name": "@mcp/filessystem",  // typosquats "@mcp/filesystem"
  "scripts": {
    "postinstall": "node scripts/setup.js"
    // setup.js exfiltrates env vars and sends to remote
  }
}

Packages Confirmed Malicious

The following package names were confirmed malicious. If you have these installed, remove them immediately and rotate any API keys or credentials that were present in environment variables at the time of installation.

  • @mcp/filessystem (typosquats @mcp/filesystem)
  • mcp-server-brave-seach (typosquats mcp-server-brave-search)
  • @anthropic/mcp-sdk (typosquats @modelcontextprotocol/sdk)
  • model-context-protcol (typosquats model-context-protocol)

Remediation Steps

  1. 1.Audit your package.json and lock files for any of the malicious package names listed above
  2. 2.Run `npm ls` or `pip list` to enumerate all installed packages and check against known-good lists
  3. 3.Rotate all API keys and credentials that may have been exposed — assume any key present as an environment variable at install time was captured
  4. 4.Review your npm install logs for postinstall script execution from unexpected packages
  5. 5.Add package name verification to your CI pipeline — check installed package names against an allowlist of verified packages

Ongoing Prevention

  • Pin exact package versions with hash verification in your lock file — do not use version ranges
  • Enable npm audit in CI and fail builds on known vulnerabilities
  • Review postinstall scripts before running npm install in sensitive environments
  • Use a private registry mirror that proxies only packages you have explicitly approved
  • Scan environment variables before running package installation — secrets should not be present during install

Related reading

AI Supply Chain Attacks: HuggingFace LoRA Poisoning

How poisoned model adapters embed backdoors that persist through model deployment — and how to detect them.

ShareX / TwitterLinkedIn

Related Articles

Security

G8KEPR Red Team Run 4: What We Found and What We Fixed

12 min read
Security

MCP Security in 2026: How to Sandbox AI Tool Calls

10 min read
Security

What Is Model Context Protocol (MCP) and Why Does It Need Security?

6 min read

Ready to secure your AI stack?

14-day free trial — full platform access, no credit card required. Early access members get pricing locked in forever.

Start Free TrialTalk to the Team