49% of npm MCP Packages Have Security Findings
We analyzed 2,386 npm packages tagged as MCP servers or tools. 35,858 tool definitions. 49% have at least one security finding. 27% are HIGH or CRITICAL. The npm MCP ecosystem has a security problem.
Methodology
We pulled every npm package matching the queries `mcp-server`, `mcp-tool`, `model-context-protocol`, and `@modelcontextprotocol` from the npm registry. This yielded 2,386 unique packages containing a combined 35,858 tool definitions. We ran ATR v0.4.0 (71 rules) against every package. We also inspected package.json for postinstall scripts, analyzed dependency trees for known vulnerabilities, and checked for typosquatting against the top 100 most-downloaded MCP packages.
Headline Numbers
49% of all packages (1,169 of 2,386) had at least one security finding. 27% (644 packages) were rated HIGH or CRITICAL severity. The breakdown by severity: | Severity | Packages | Percentage | |----------|----------|------------| | CRITICAL | 89 | 3.7% | | HIGH | 555 | 23.3% | | MEDIUM | 312 | 13.1% | | LOW | 213 | 8.9% | | CLEAN | 1,217 | 51.0% |
The Triple Threat on npm
10.4% of packages (248 of 2,386) combined shell execution, network access, and filesystem operations -- what we call the "triple threat" pattern. This is 4x the rate we see in the broader ClawHub ecosystem (2.6%). npm MCP packages are more likely to be full-stack tools that need broad system access, which makes the attack surface larger and the line between legitimate and malicious harder to draw.
postinstall Scripts: The Silent Execution Vector
122 packages (5.1%) had postinstall scripts in their package.json. These scripts execute during `npm install`, before any code review happens. The ua-parser-js supply chain attack (CVE-2021-43616, 7.8M weekly downloads compromised) used exactly this vector -- a clean package for years, then one update added a postinstall script that installed a cryptominer. We found 18 packages where the postinstall content was obfuscated or fetched remote code at install time.
Prompt Injection Is the Most Common Finding
The single most triggered ATR rule was ATR-PI-001 (prompt injection in tool descriptions). 312 packages contained tool descriptions with instruction-like content that could override the user intent of the calling LLM. Patterns include: hidden `<IMPORTANT>` blocks (47 packages), role reassignment instructions (89 packages), and "ignore previous instructions" variants (31 packages). Not all of these are intentionally malicious -- some are clumsy attempts at providing context to the LLM. But the effect is the same: the tool description becomes an attack vector.
Typosquatting Is Active and Targeted
We identified a cluster we call SANDWORM_MODE: 19 typosquatted packages targeting popular MCP tools. Examples include `claud-code` (targeting `claude-code`), `cloude-code`, and `opencraw` (targeting `openclaw`). These packages had minimal functionality but contained postinstall scripts that harvested SSH keys and environment variables. All 19 have been reported to npm. As of writing, 14 have been removed. Five remain live.
What npm Should Do
npm currently has no MCP-specific security scanning. The existing `npm audit` checks dependency vulnerabilities but does not analyze tool definitions, SKILL.md files, or MCP-specific attack patterns. We believe npm should: (1) add ATR-based scanning to the publish pipeline, (2) flag packages with postinstall scripts that access network or filesystem, (3) require MCP packages to declare their capability requirements in a machine-readable manifest, and (4) surface risk scores on package pages.
What You Should Do
Before installing any MCP package: ```bash npx @panguard-ai/panguard audit <package-name> ``` This runs a pre-install security check and gives you a risk score before the package touches your system. If you have already installed MCP packages, run `pga scan` to audit everything currently on your machine.
The full dataset is available in the ATR repository. We update it weekly.