A recent analysis of the top 50 Model Context Protocol (MCP) npm packages revealed significant supply-chain risks, particularly in packages with high download counts. The study, which combined behavioral signals with static analysis for CWE-22 vulnerabilities, found that the two most downloaded packages, chrome-devtools-mcp and @upstash/context7-mcp, both scored 'WARN'. The official reference implementation, @modelcontextprotocol/server-filesystem, also received a 'WARN' score due to numerous pattern flags, highlighting the need for manual audits. AI
Summary written by gemini-2.5-flash-lite from 1 source. How we write summaries →
IMPACT Highlights critical supply-chain vulnerabilities in packages used by AI agents, potentially impacting agent security and reliability.
RANK_REASON This is a research paper detailing a novel analysis of supply-chain risks in MCP npm packages. [lever_c_demoted from research: ic=1 ai=1.0]