KobanKoban
← All posts

MCP servers are an unsigned install path

Model Context Protocol configs land on disk with no registry, semver policy, or SBOM. A new MCP entry is a supply chain event most stacks never modeled.

Koban Team
  • mcp
  • supply-chain
  • ai-agents

The Model Context Protocol gives coding agents new capabilities by connecting them to external tools. It also created an install path that bypasses many controls you built for npm, pip, and Homebrew.

No registry, no provenance

An MCP server is typically declared in a JSON config file:

{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"]
    }
  }
}

That entry has no signed package manifest tied to a vendor, no semver policy enforced by a central registry, no SBOM your scanner already ingests, and no approval workflow before the client launches the subprocess.

Researchers and vendors have documented a growing CVE count across MCP servers, SDKs, and client integrations. GitGuardian's State of Secrets Sprawl 2026 report found 24,008 unique secrets in MCP-related configuration files on public GitHub, including 2,117 confirmed valid credentials. Lorikeet Security published a catalog of MCP-related CVEs filed in early 2026, including entries such as CVE-2025-6514 (mcp-remote) and CVE-2025-49596 (MCP Inspector).

Stdio servers inherit full privileges

Most MCP clients launch stdio servers as local subprocesses with the user's privileges: filesystem, environment variables, network, git credentials, and cloud tokens. The MCP specification's security best practices warn that users may have no insight into what commands are being executed.

General Analysis mapped nine distinct attack vectors including malicious server code, tool-description poisoning, rug-pull updates, and cross-server tool shadowing.

Case study: Bitwarden CLI, April 22, 2026

On April 22, 2026, a malicious @bitwarden/cli@2026.4.0 package was published to npm for roughly 93 minutes (Bitwarden's security team reported 5:57 PM to 7:30 PM ET on April 22, 2026). Vendor and researcher reporting documented that the payload harvested credentials from cloud providers, npm tokens, SSH keys, and Claude and MCP configuration files on infected machines.

Bitwarden confirmed that only the CLI npm distribution path was affected; browser extensions and other distribution channels were not compromised.

This is a useful example of why MCP configs belong in the same inventory scope as lockfiles: a supply chain incident on an unrelated package can still read ~/.cursor/mcp.json or Claude Desktop configs if the stealer targets them.

What visibility looks like

Koban reads MCP config files from known paths (~/.cursor/mcp.json, Claude Desktop configs, and similar). Fleet rules can flag:

  • A server name not on your allowlist
  • A new npx -y invocation pulling @latest
  • Drift between enrolled Macs in the same team

We are not claiming to validate MCP server code at runtime. We inventory what is configured and alert when it changes.

Pin versions, then watch for drift

Operational guidance from the community converges on a few basics:

  1. Pin MCP server versions by hash or exact semver. Avoid @latest in shared production configs.
  2. Audit third-party server source before adding it to a shared config.
  3. Diff MCP configs across your fleet on a schedule, not once a year.

Passive inventory closes the loop on step three.

Further reading