Attack scenario 1: Malicious code and credential theft via supply chain
A trusted package that quietly steals every credential it can reach
Attack scenario 1: Malicious code and credential theft via supply chain
Attack scenario 2: Over-privileged credentials enable lateral movement
Attack scenario 3: Prompt injection triggers unauthorized database operations
Attack scenario 4: Exposed Remote MCP Servers with no authentication
Attack scenario 5: Credential leakage through logs and crash dumps
Detecting MCP security incidents
Attack scenario 1: Malicious code and credential theft via supply chain
The most direct path to compromising an MCP server is through the server package itself.
How the attack works
A developer needs an MCP server that integrates with a project management tool. They search npm, find a package named @project-tools/mcp-server with a plausible README and recent download numbers, and install it. The package functions correctly. It exposes the expected tools and connects to the project management API. But it also contains malicious code designed for data exfiltration that harvests every environment variable accessible to the process.
Why the attack succeeds
The malicious code runs at import time, before any sandboxing or monitoring can intervene. The exfiltration request targets a domain that appears to be a legitimate analytics endpoint. And because MCP servers aggregate credentials for multiple backend services within their process environment, a single compromised package grants access to all services at once.
What to look for
- npm packages with recent name changes or new maintainers
- Unexpected outbound network connections from MCP server processes
- MCP server packages that require network access during installation
- Discrepancies between the package README documentation and actual code behavior
How to defend against it
- Vendor MCP packages from trusted sources only: Third-party MCP servers from outside the core MCP ecosystem should be treated as untrusted until verified. Verify the identity of the package maintainer before installing community packages.
- Pin dependencies: Use lockfiles such as package-lock.json or yarn.lock to pin dependencies. Run software composition analysis tools such as Snyk or GitHub Advanced Security to detect malicious or vulnerable packages.
- Review the source code before deployment: For any MCP server package that will receive access to production credentials, conduct a code review. Focus on network calls, file system access, and any code that runs at import time rather than on explicit invocation.
- Restrict network egress: Run local MCP servers and remote deployments with firewall rules that limit access to required endpoints. An MCP server that connects to the GitHub API should not be making outbound requests to unknown domains.
- Sandbox MCP server processes: Run each MCP server in its own container or sandbox with minimal permissions. If the server is compromised, the blast radius is limited to the credentials explicitly provided to that container.
A supply chain attack requires some luck; the developer has to install the malicious package. Over-privileged credentials, by contrast, are already waiting for an attacker who finds any foothold.
Enter the new era of secrets management
Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.
