In March 2016, Azer Koçulu unpublished 273 npm packages. One of them, left-pad, was eleven lines of string-padding utility. It brought down React, Babel, and the builds of thousands of projects that had never heard of it. The industry’s recorded lesson was about dependency fragility — brittle graphs, unpublished packages breaking downstream builds.
The structural lesson was more important: the npm ecosystem had built implicit trust into dependency resolution with no mechanism to verify what you were getting. Left-pad disappearing broke builds loudly. The attack surface that creates is quiet.
We rebuilt that condition, in sixty days, for AI agents.
What MCP Is
Model Context Protocol — published by Anthropic in November 2024 — is an open protocol for connecting AI agents to external tools and data sources. An MCP server exposes tools (functions the AI can invoke), resources (data the AI can read), and prompts (structured templates). An agent calls list_tools() on a configured server, receives the function catalog, and calls those tools as part of its reasoning loop.
The protocol is clean. By early 2026, thousands of MCP servers have been published to npm, PyPI, and GitHub: filesystem access, browser automation, shell execution, database queries, API integrations for GitHub, Slack, email, calendar, and cloud providers. The ecosystem grew from Anthropic’s reference implementations to a community-built catalog in roughly two months.
Two months. No code signing. No attestation requirements. No verified publisher program. No mandatory security review. npm took years to accumulate those vulnerabilities. We replicated the conditions in a single sprint.
The Permission Model Is The Attack Surface
MCP servers run as local processes or network services with delegated access granted by the user during configuration. Developer tooling configurations tend to look like this: filesystem read/write to the codebase, shell execution for builds and tests, GitHub integration with a PAT, cloud provider credentials for deployment. That profile describes a process with access to source code, stored secrets, and the ability to exfiltrate both by making outbound network requests.
The MCP server doesn’t need to escalate privileges. The developer already granted them.
The Attack Classes
The documented incidents in January 2026 follow predictable patterns.
Typosquatting and namespace confusion. The official Anthropic GitHub integration is @modelcontextprotocol/github. The attack surface is every plausible variant: @mcp/github, model-context-github, mcp-github-integration, modelcontextprotocol-github. Attackers register close-enough names, implement real GitHub integration to survive casual testing, and include a payload running alongside the legitimate handlers. The pattern is identical to npm typosquatting campaigns from 2018–2021. It works because developers copy package names from documentation, blog posts, and forum answers.
Publisher token compromise on legitimate servers. A server with genuine functionality and an established install base. The publisher’s npm token is stolen via credential stuffing or phishing. A new version ships with a data exfiltration payload. The injected code doesn’t need to be clever — it’s already running with the filesystem permissions the user configured. It reads .env, ~/.aws/credentials, ~/.ssh/id_rsa, ~/.config/gh/hosts.yml and POSTs to an attacker endpoint. The server continues to function normally.
Delayed activation. Servers that install and function correctly for days before the payload activates — to defeat time-based review. Documented in the malicious node-ipc modification in 2022, where behavior changed based on machine locale. The MCP variant uses time elapsed since first execution as the trigger.
Why Now Is The Worst Time
The vulnerability window isn’t a software bug. It’s an ecosystem maturity gap.
The MCP ecosystem grew faster than its security tooling. There’s no cryptographic link from a published package back to a specific source commit for most MCP servers. No mandatory review, unlike browser extensions. No OS-level enforcement of the permission model: an MCP server configured for read-only filesystem access can make outbound network requests with that data; nothing in the protocol prevents this.
The target profile amplifies the exposure. MCP users are overwhelmingly developers and technical operators — they hold credentials of disproportionate value: GitHub tokens with production write access, AWS keys with broad permissions, signing keys, deploy credentials. A compromised MCP server in a developer’s local environment isn’t intercepting low-value consumer data. It’s adjacent to the keys to production infrastructure.
The Left-Pad Parallel, And Where It Breaks
Left-pad breaking builds was loud and immediate. Builds failed. Errors appeared. The incident resolved in roughly four hours.
A malicious MCP server exfiltrating credentials is silent. The agent continues to operate correctly. The build continues to pass. The credentials continue to work — until they’re used, on attacker timelines. No build failure, no error log, no anomaly in agent behavior. The malicious behavior runs in-process with the legitimate behavior; the output is network traffic that looks like any other outbound request.
Same structural condition: implicit trust, no verified provenance, attack surface scaling with adoption. Inverted detection characteristic: left-pad broke loudly, this breaks quietly. That’s the difference between a bad day and a breach you find out about from your cloud provider six weeks later.
What Responsible Use Looks Like Now
Pin MCP server versions to exact SHAs in your configuration — same discipline as Actions pinning after tj-actions. A version pin is better than a range; a SHA is better than a version pin.
Verify package provenance where tooling supports it. Does the published npm package correspond to a specific tagged commit in the claimed source repository? npm provenance attestations exist; use them as a filter.
Apply least authority to permission grants. An MCP server for GitHub API calls does not need filesystem access. A documentation server does not need shell execution. Don’t grant broad permissions for convenience.
Treat MCP server installation as a dependency addition, because it is one. Read the source. Check the publisher. Verify the repository. For teams, this review should not be optional.
The Trajectory
MCP adoption will accelerate because the capability is valuable. The protocol is sound. The ecosystem will keep growing. The attack surface scales with adoption.
At current growth rates, a high-trust MCP server reaching five-figure install counts is months away. A single publisher account compromise at that scale produces an incident with the blast radius of xz-utils — targeting credentials that provide direct access to source repositories and production infrastructure by design, not as a side effect. The tooling needs to exist and the practices need to become defaults before that happens. Based on npm’s trajectory into its first major supply chain incidents, that window is approximately six to twelve months.
We built an npm in sixty days and didn’t learn anything from the last ten years of npm. That’s not a prediction. That’s a status report.
PGP signature: mcp-servers-the-new-npm-left-pad.md.asc — Key fingerprint: 5FD2 1B4F E7E4 A3CA 7971 CB09 DE66 3978 8E09 1026