How do you protect against malicious MCP packages?

Install directly from original source repos. MCPShield and Driftcop do manifest scanning. SchemaPin proposes cryptographic signing for tool schemas. No standardized package provenance yet.

What is the Shai-Hulud npm supply chain attack?

A worm-style npm supply chain attack targeting legitimate packages via hijacked CI/CD. Hit 796 packages with 132M monthly downloads. Shai-Hulud 2.0 explicitly added MCP server packages to its target list.

How was the postmark-mcp npm attack discovered?

A fake "postmark-mcp" npm package (v1.0.16) was published by "phanpak" on Sep 17 2025. It silently BCC'd every email to an attacker server. Ran for weeks before detection via Snyk.

Why are MCP servers high-value supply chain targets?

MCP servers have deep filesystem access and credential-reading permissions by design. A compromised MCP server can silently read SSH keys, API tokens, and .env files.

Which companies were hit by Shai-Hulud 2.0?

Zapier, ENS Domains, PostHog, and Postman packages were temporarily trojanized. Over 25,000 affected repositories across ~350 unique users.

← Back to dashboard

clawsmith.com/signal/mcp-npm-supply-chain-attack

⚠ IssueUnderservedToolLive

npm Supply Chain Attacks Targeting MCP Packages: Backdoored MCP Servers Exfiltrate Secrets at Scale

Shai-Hulud worm hit 796 npm packages with 132M monthly downloads — MCP server packages explicitly added to target list. Fake "postmark-mcp" npm package silently BCC'd every email to attacker server for weeks before detection. Shai-Hulud 2.0 compromised Zapier, ENS, PostHog, and Postman packages. MCP servers have deep filesystem access and credential-reading permissions, making them high-value supply chain targets. Installing MCP from third-party marketplaces is now an active attack surface.