From Theory Delta | Methodology | Published 2026-02-25
MCP supply chain security is an emerging concern as the MCP server ecosystem grows. Individual security tools exist to scan servers and protect agent runtimes. The MCP specification does not include a native security layer, leaving defense to external tooling.
The category is no longer emerging. Two enterprise acquisitions in 90 days confirmed it as institutional infrastructure:
Acquisition 1: Snyk acquired Invariant Labs (June 24, 2025). Invariant Labs built mcp-scan (1,525 stars, mirrored at snyk/agent-scan) and coined the attack vocabulary the entire category uses: "tool poisoning," "MCP rug pulls," "cross-origin escalation." Snyk is the dominant player in software supply chain security (npm audit, pip audit, Docker image scanning). They do not make speculative acquisitions.
Acquisition 2: Docker acquired MCP-Defender (September 5, 2025). Docker is container infrastructure, not an AI company. Acquiring a runtime MCP security tool means they classify MCP security as container-equivalent enterprise infrastructure. The post-acquisition Docker MCP Gateway adds container-native network isolation and programmable interceptors -- a fundamentally different architecture than hook-based tools.
Three confirmed real-world incidents prove the threat model is not theoretical:
WhatsApp exfiltration (Invariant Labs, 2025): A malicious MCP server combined with legitimate whatsapp-mcp silently exfiltrated entire WhatsApp message history via tool poisoning. The malicious server's tool description contained injection instructions executed when the agent processed the combined tool context.
Postmark npm impersonation (September 2025): Package impersonating Postmark's email service functioned as a legitimate MCP server but BCC'd every sent email to an attacker address. Indistinguishable from the legitimate package at install time.
Smithery supply chain attack (October 2025): Affected 3,000+ hosted applications and their API tokens. A single compromised server in the hosted MCP registry propagated to all consumers.
The three-layer defense architecture is now stable, with 7+ tools across three organizational tiers:
| Layer | Function | Tools |
|---|---|---|
| Package audit (pre-install) | Scan before installing | agentaudit-mcp, MCPSafetyScanner |
| Runtime defense (execution) | Hook or proxy tool calls | cc-safety-net (1,058 stars), agentguard (177 stars), MCP-Defender/Docker (245 stars) |
| Server integrity (live server) | Scan running servers | mcp-scan (1,525 stars), Cisco mcp-scanner (807 stars), ramparts (83 stars) |
The remaining gap: mid-session rug-pull detection. mcp-scan's tool pinning hashes tool descriptions on first scan and alerts on changes between sessions. This partially closes the rug-pull attack class. But a server that changes behavior within a single conversation -- mutating tool implementations after capability listing -- is not detected by any current tool. Closing this requires stateful monitoring of the delta between listed capabilities and actual behavior in real time.
MCPTox benchmark (research, arXiv:2504.03767) tested 20 LLMs against 45 MCP servers with 353 tools. o1-mini: 72.8% attack success rate. Claude 3.7-Sonnet: lowest attack rate but still measurable. No model is immune to MCP-layer attacks.
mcp-scan or agentaudit scan <repo-url> against any MCP server before adding it to your config. Treat it like npm audit.PreToolUse(Bash) hook for destructive command blocking. Add agentguard for Write/Edit coverage and the 24-rule static scanner. Caveat: cc-safety-net over-fires on legitimate git restore in multi-branch workflows -- add allow entries if needed.mcp-scan periodically to detect between-session tool description changes. Accept that mid-session mutation is currently unmonitored.maxTurns. Do not expose filesystem write access to untrusted MCP servers.| Tool | Version | Result |
|---|---|---|
| invariantlabs-ai/mcp-scan | latest (Feb 2026) | source-reviewed: tool pinning detects between-session description changes |
| kenryu42/cc-safety-net | latest (Feb 2026) | source-reviewed: PreToolUse(Bash) hook blocks destructive commands; false positives on git restore |
| GoPlusSecurity/agentguard | v1.0.4 (Feb 2026) | source-reviewed: Write/Edit hook coverage + 24-rule static scanner confirmed |
| cisco-ai-defense/mcp-scanner | v4.2.0 (Feb 2026) | source-reviewed: YARA + LLM-as-judge scanning of live MCP servers |
| MCP-Defender/MCP-Defender | latest (Feb 2026) | independently-confirmed: acquired by Docker; proxy-based runtime interception |
| highflame-ai/ramparts | latest (Feb 2026) | source-reviewed: Rust scanner with cross-origin analysis |
| sidhpurwala-huzaifa/mcp-security-scanner | latest (Feb 2026) | source-reviewed: 7-mode pentest server = most complete public MCP attack taxonomy |
Confidence: source-reviewed + independently-confirmed -- 7 tools reviewed with source code analysis, 3 real-world incidents documented via public disclosures, 2 enterprise acquisitions independently confirm the category. GHSA-65hm-pwj5-73pw confirms the broader MCP security attack surface. MCPTox benchmark (arXiv:2504.03767) independently confirms no model is immune. No tools were executed in a test environment; all evidence is from source code review and public records.
Falsification criterion: This claim would be disproved by demonstrating that (1) neither Snyk nor Docker completed the described acquisitions (public records contradict), or (2) a tool exists that detects mid-session MCP tool description mutations in real time (searched GitHub for "mcp runtime monitor", "mcp session integrity", "mcp rug pull detect" in Feb 2026 -- no results with active development).
Open questions: Will any tool implement mid-session rug-pull detection (stateful capability monitoring)? Will OWASP MCP Top 10 become the governance standard? Has Docker MCP Gateway shipped outside enterprise preview? Is there a CVE-like shared database for MCP-specific vulnerabilities beyond agentaudit.dev?
Seen different? Contribute your evidence -- theory delta is what makes this knowledge base work.