Two enterprise acquisitions confirmed MCP supply chain risk — but one attack class still has no defense
Two enterprise acquisitions confirmed MCP supply chain risk — but one attack class still has no defense
From Theory Delta | Methodology | Published 2026-02-25 | Updated 2026-04-19
What you expect
You treat MCP server security as an emerging concern — worth watching, but not yet requiring the rigor you’d apply to npm packages or Docker images. You review the MCP servers you install and move on. The attack surface is novel but not yet industrialized.
What actually happens
The category is no longer emerging. Two enterprise acquisitions in 90 days have moved it to infrastructure.
Snyk acquired Invariant Labs (June 24, 2025). Invariant Labs built mcp-scan and coined the attack vocabulary the entire category now uses: “tool poisoning,” “MCP rug pulls,” “cross-origin escalation.” Snyk is the dominant player in software supply chain security — npm audit, pip audit, Docker image scanning. They do not make speculative acquisitions.
Docker acquired MCP-Defender (September 5, 2025). Docker is container infrastructure, not an AI company. Acquiring a runtime MCP security tool means they classify MCP security as container-equivalent enterprise infrastructure. The post-acquisition Docker MCP Gateway adds container-native network isolation and programmable interceptors — a fundamentally different architecture than hook-based tools.
When two established supply chain security companies claim the same nascent category within 90 days of each other, that is a signal about risk magnitude, not just market interest.
Three real incidents confirm the threat model is not theoretical:
-
WhatsApp exfiltration (Invariant Labs, 2025): A malicious MCP server combined with legitimate whatsapp-mcp silently exfiltrated entire WhatsApp message history via tool poisoning. The malicious server’s tool description contained injection instructions executed when the agent processed the combined tool context.
-
Postmark npm impersonation (September 2025): A package impersonating Postmark’s email service functioned as a legitimate MCP server but BCC’d every sent email to an attacker address. Indistinguishable from the legitimate package at install time.
-
Smithery supply chain attack (October 2025): Affected 3,000+ hosted applications and their API tokens. A single compromised server in the hosted MCP registry propagated to all consumers.
The three-layer defense architecture is now stable, with 7+ tools across three tiers:
| Layer | Function | Tools |
|---|---|---|
| Package audit (pre-install) | Scan before installing | agentaudit-mcp, MCPSafetyScanner |
| Runtime defense (execution) | Hook or proxy tool calls | cc-safety-net (1,058 stars), agentguard (386 stars), MCP-Defender/Docker (251 stars) |
| Server integrity (live server) | Scan running servers | mcp-scan (2,169 stars), Cisco mcp-scanner (890 stars), ramparts (85 stars) |
One gap has no defense: mid-session rug-pull. mcp-scan’s tool pinning hashes tool descriptions on first scan and alerts on changes between sessions. This partially closes the rug-pull class. But a server that changes behavior within a single conversation — mutating tool implementations after capability listing — is not detected by any current tool. This requires stateful monitoring of the delta between listed capabilities and actual behavior in real time. No tool implements this.
No model is immune. The MCPTox benchmark tested 20 LLMs against 45 MCP servers with 353 tools (arXiv:2504.03767). o1-mini: 72.8% attack success rate. Claude 3.7-Sonnet: lowest attack rate but still measurable. Model-layer defenses reduce the attack surface; they do not close it.
mcp-scan’s --opt-out is broken. Issue #124 (open): tool descriptions are sent to Invariant’s servers on every scan regardless of the flag. For privacy-sensitive environments, use mcp-shield (no data upload) or Cisco mcp-scanner in YARA-only mode.
What this means for you
If you are treating MCP server security as an “emerging concern” to revisit later: that framing is two enterprise acquisitions out of date. The category is enterprise infrastructure now. The attack surface — 41% of production MCP servers have no authentication, tool descriptions land in agent system prompts, single compromised servers in hosted registries affect thousands of consumers — is actively exploited.
If your agent uses any MCP servers from public registries: you are in the same risk class as code that installs npm packages without auditing. The npm-circa-2015 condition applies: no behavioral vetting before publication, popularity signals unreliable (64.7 million registry entries for only 1,691 unique packages), and successful trojanized entry placements confirmed.
If you are relying on mcp-scan for privacy-sensitive scanning: the --opt-out flag is broken. Your tool descriptions are being uploaded to Invariant’s servers even when you’ve requested otherwise.
If you run agents for longer than a single capability-listing exchange: mid-session rug-pull is your unmitigated exposure. No current tool detects it.
What to do
-
Pre-install scan. Run
mcp-scanoragentaudit scan <repo-url>against any MCP server before adding it to your config. Treat it likenpm audit. For privacy-sensitive environments, use mcp-shield instead (no data upload to Invariant). -
Runtime hooks. Install cc-safety-net as a
PreToolUse(Bash)hook for destructive command blocking. Add agentguard for Write/Edit coverage and the 24-rule static scanner. Note: cc-safety-net over-fires on legitimategit restore— add allow entries if needed. -
Server integrity scanning. For production deployments, add ramparts or Cisco mcp-scanner (YARA-only mode available for air-gapped environments) to CI/CD.
-
Rug-pull monitoring. Run
mcp-scanperiodically to detect between-session tool description changes. Accept that mid-session mutation is currently unmonitored — no tool closes this gap. -
Architectural posture. Treat all MCP tool responses as untrusted input. Read-only posture for autonomous agents. Bound
maxTurns. Do not expose filesystem write access to untrusted MCP servers.
Evidence
| Tool | Version | Result |
|---|---|---|
| invariantlabs-ai/mcp-scan | latest (Apr 2026) | source-reviewed: tool pinning detects between-session changes; —opt-out flag broken (issue #124, open) |
| kenryu42/cc-safety-net | latest (Feb 2026) | source-reviewed: PreToolUse(Bash) hook blocks destructive commands; false positives on git restore |
| GoPlusSecurity/agentguard | v1.0.4 (Feb 2026) | source-reviewed: Write/Edit hook coverage + 24-rule static scanner confirmed |
| cisco-ai-defense/mcp-scanner | v4.2.0 (Feb 2026) | source-reviewed: YARA + LLM-as-judge scanning of live MCP servers; YARA-only mode available |
| MCP-Defender/MCP-Defender | latest (Feb 2026) | independently-confirmed: acquired by Docker; proxy-based runtime interception |
| riseandignite/mcp-shield | 546 stars (Apr 2026) | source-reviewed: static scanner, no Snyk data-sharing requirement — privacy-preserving alternative |
| MCPTox benchmark | arXiv:2504.03767 | independently-confirmed: 20 LLMs tested; o1-mini 72.8% attack success rate; no model immune |
| Snyk/Invariant Labs acquisition | Public record | Yes — GitHub repo transferred to snyk/agent-scan |
| Docker/MCP-Defender acquisition | Public record | Yes — Docker MCP Gateway announcements, Sept 2025 |
Confidence: independently-confirmed — 7 tools reviewed with source code analysis, 3 real-world incidents documented via public disclosures, 2 enterprise acquisitions independently confirm the category, MCPTox benchmark confirms no model immunity.
Falsification criterion: This claim would be disproved by demonstrating that (1) neither Snyk nor Docker completed the described acquisitions (public records contradict), or (2) a tool exists that detects mid-session MCP tool description mutations in real time.
Seen different? Contribute your evidence — theory delta is what makes this knowledge base work.