MCPwn Is Live. We Scanned the Supply Chains of 14 MCP Servers. Here's What We Found.

gardless of download volume.

Approach	Metric 1	Metric 2	Metric 3
Exploited Servers (e.g., mcp-atlassian, mcp-remote)	42-50	260K-312K/wk	5 CRITICAL transitive nodes
Official Servers (Anthropic)	42-63	28K-325K/wk	4-5 CRITICAL transitive nodes
Community Servers (e.g., Azure DevOps, FastMCP)	43-50	0-84K/wk	3-4 CRITICAL transitive nodes
Traditional CVE Scanner Baseline	N/A (Static)	N/A	Misses behavioral/transitive risk

Key Findings:

• Every exploited MCP server scored below 55 on behavioral commitment, with an ecosystem average of 50.
• Single-maintainer concentration is the dominant failure vector: 80% of exploited packages had ≤2 maintainers despite massive download momentum.
• Transitive dependencies carry higher risk than root packages: mcp-remote (score 50) appeared acceptable until depth-2 scanning revealed 5 CRITICAL single-maintainer packages, including a sub-year-old URL sanitization library in the OAuth flow.
• Official status does not mitigate supply chain fragility: Anthropic's server-github (score 49) and server-filesystem (score 63) both contain critical single-maintainer dependencies that, if compromised, could alter tool-call validation or bypass sandbox boundaries.

Core Solution

The solution centers on implementing behavioral supply chain scoring and depth-2 dependency tree mapping before integrating MCP servers into AI agent workflows. Proof of Commitment analyzes four core vectors: maintainer depth, repository longevity, release cadence consistency, and download momentum anomalies. This shifts risk assessment from static CVE matching to dynamic trust modeling.

Technical Implementation:

1. Install & Execute CLI Scanning: Run the scoring tool directly against target packages to generate commitment scores and dependency risk flags.
2. Depth-2 Tree Mapping: The tool recursively resolves dependencies, flagging CRITICAL (single maintainer + high downloads), HIGH (stale/new repos), and WARN states.
3. Risk-Based Integration Policy: Packages scoring <55 or containing CRITICAL transitive nodes require sandboxed execution, strict permission scoping, or alternative vetted replacements.
4. Continuous Monitoring: Integrate scoring into CI/CD pipelines to detect sudden maintainer turnover, dependency swaps, or download velocity spikes that indicate supply chain compromise.

# Score MCP server packages directly
npx proof-of-commitment mcp-remote @modelcontextprotocol/s

Architecture Decision: Deploy scoring at the gateway/agent orchestration layer rather than at runtime. This ensures that only packages passing behavioral commitment thresholds and transitive dependency audits are allowed to register tools with the AI agent. Combine with least-privilege IAM policies and network segmentation to contain potential RCE or SSRF chains.

Pitfall Guide

1. The "High Download = High Security" Fallacy: Packages with 100M+ weekly downloads (e.g., zod, open) are prime targets for supply chain attacks. Download velocity reflects popularity, not maintainer capacity or code integrity. Always cross-reference downloads with commitment scores.
2. Ignoring Transitive Dependency Depth: Scanning only the root MCP package misses critical risks buried in depth-1 or depth-2 trees. A single vulnerable URL sanitizer or OAuth helper can compromise the entire authentication flow. Always map to depth 2+.
3. Over-Trusting "Official" or Verified Packages: Anthropic's official servers still exhibit behavioral risk (scores 42-63) and contain single-maintainer critical paths. Official status guarantees API compatibility, not supply chain resilience.
4. Neglecting Behavioral Commitment Metrics: Focusing solely on static CVE databases ignores maintainer burnout, stale repositories, and rapid growth anomalies. Packages under 2 years old with explosive download curves are statistically the most likely to be compromised.
5. Failing to Segment AI Agent Permissions: Connecting low-commitment MCP servers directly to production databases, file systems, or CI/CD pipelines without sandboxing creates an unbounded attack surface. Always enforce tool-call allowlists and network egress controls.

Deliverables

• MCP Supply Chain Assessment Blueprint: A step-by-step framework for integrating behavioral commitment scoring into AI infrastructure provisioning, including threshold definitions (Score <55 = Quarantine, Score 55-70 = Monitor, Score >70 = Approve), depth-2 mapping protocols, and incident response playbooks for compromised transitive dependencies.
• Pre-Integration Checklist: A 12-point validation sheet covering maintainer verification, release cadence analysis, transitive dependency audit, permission scoping requirements, and rollback procedures before registering any MCP server with an AI agent.
• CI/CD Configuration Template: Ready-to-deploy GitHub Actions/GitLab CI pipeline definitions that automatically run proof-of-commitment on every MCP package update, block deployments on CRITICAL flags, and generate weekly supply chain risk reports for security teams.