A recent analysis of the top 50 Model Context Protocol (MCP) npm packages revealed significant supply-chain risks, particularly in packages with high download counts. The study, which combined behavioral signals with static analysis for CWE-22 vulnerabilities, found that the two most downloaded packages, chrome-devtools-mcp and @upstash/context7-mcp, both scored 'WARN'. The official reference implementation, @modelcontextprotocol/server-filesystem, also received a 'WARN' score due to numerous pattern flags, highlighting the need for manual audits. AI
IMPACT Highlights critical supply-chain vulnerabilities in packages used by AI agents, potentially impacting agent security and reliability.
RANK_REASON This is a research paper detailing a novel analysis of supply-chain risks in MCP npm packages. [lever_c_demoted from research: ic=1 ai=1.0]
- chrome-devtools-mcp
- CWE-22
- Kubernetes
- MCP
- @modelcontextprotocol/server-filesystem
- Transcend IO
- @upstash/context7-mcp
AI-generated summary · Google Gemini · from 1 sources. How we write summaries →
