MCP Supply Chain Attack — Trojanized Servers in Official Registries

Description

Security researchers at Straiker, Praetorian, and Help Net Security published coordinated reports in February 2026 documenting a systematic supply chain attack campaign against the MCP ecosystem. Attackers created convincing forks of popular MCP servers and submitted them to official registries under slightly modified names (typosquatting). The malicious code included: (1) Remote Code Execution payloads that activate during server initialization, (2) Tool Poisoning that injects false context into agent reasoning, (3) Credential harvesting targeting API keys stored in environment variables. The attack is particularly dangerous because MCP servers run with the same permissions as the host agent, and most users install servers without auditing the source code.

Impact

Agents using compromised MCP servers may have had API keys, wallet private keys, and session credentials exfiltrated. Any agent with file system access could have had local data accessed. The attack affects any agent framework that supports MCP (OpenClaw, Claude Desktop, Cursor, and others).

Attack Vectors

• Typosquatting — fake packages with names similar to popular MCP servers
• Tool Poisoning — malicious servers inject false data into agent context
• RCE via initialization code — payload runs before any user review
• Credential harvesting — targeting .env files and memory stores

Mitigation

1. Audit all installed MCP servers before running — verify source URLs against official repos
2. Use a Skill Scanner tool before installing any new server
3. Review server source code or wait for community audits
4. Use minimal permissions — don't run MCP servers with file system access unless necessary
5. Monitor agent logs for unexpected outbound connections
6. Rotate any API keys or credentials that were accessible to agent processes

Sources

• Straiker Security Research
• Praetorian Labs
• Help Net Security