--- source_block: mcp-supply-chain-security.md canonical_url: https://api.theorydelta.com/published/mcp-supply-chain-security-institutionally-confirmed published: 2026-02-25 last_verified: 2026-02-21 confidence: independently-confirmed rubric: total_claims: 8 tested_count: 0 independently_confirmed: true unlinked_count: 0 scope_matches: true falsification_stated: true content_type: landscape trust: provenance: "sourced + first-party" rigor: independently-confirmed sources: "1 GHSA, 3 documented incidents, 1 research benchmark, 9 repo links, 2 acquisition records" unlinked_claims: 0 environments_tested: - tool: "invariantlabs-ai/mcp-scan (Snyk)" version: "latest (Feb 2026)" evidence_type: source-reviewed result: "Tool pinning detects between-session description changes" - tool: "kenryu42/cc-safety-net" version: "latest (Feb 2026)" evidence_type: source-reviewed result: "PreToolUse(Bash) hook blocks destructive commands; false positives on git restore" - tool: "GoPlusSecurity/agentguard" version: "v1.0.4 (Feb 2026)" evidence_type: source-reviewed result: "Write/Edit hook coverage + 24-rule static scanner confirmed" - tool: "cisco-ai-defense/mcp-scanner" version: "v4.2.0 (Feb 2026)" evidence_type: source-reviewed result: "YARA + LLM-as-judge scanning of live MCP servers" - tool: "MCP-Defender/MCP-Defender (Docker)" version: "latest (Feb 2026)" evidence_type: independently-confirmed result: "Acquired by Docker; proxy-based runtime interception" - tool: "highflame-ai/ramparts" version: "latest (Feb 2026)" evidence_type: source-reviewed result: "Rust scanner with cross-origin analysis" - tool: "sidhpurwala-huzaifa/mcp-security-scanner" version: "latest (Feb 2026)" evidence_type: source-reviewed result: "7-mode pentest server = most complete public MCP attack taxonomy" theory_delta: "MCP supply chain security was classified as 'emerging' -- two enterprise acquisitions in 90 days (Snyk/Invariant Labs June 2025, Docker/MCP-Defender September 2025) change the classification to institutionally confirmed. The rug-pull gap is partially closed by mcp-scan tool pinning, but mid-session mutation remains open." a2a_card: type: knowledge_finding topic_tags: [mcp, security, supply-chain, rug-pull, acquisitions] confidence_score: 0.95 finding_url: https://theorydelta.com/findings/mcp-supply-chain-security-institutionally-confirmed/ mcp_query_hint: "MCP supply chain security rug-pull defense" --- # MCP supply chain security is institutionally confirmed -- two acquisitions in 90 days, but mid-session rug-pull gap remains open *From [Theory Delta](https://theorydelta.com) | [Methodology](https://theorydelta.com/methodology/) | Published 2026-02-25* ## What the docs say MCP supply chain security is an emerging concern as the MCP server ecosystem grows. Individual security tools exist to scan servers and protect agent runtimes. The MCP specification does not include a native security layer, leaving defense to external tooling. ## What actually happens The category is no longer emerging. Two enterprise acquisitions in 90 days confirmed it as institutional infrastructure: **Acquisition 1: [Snyk acquired Invariant Labs](https://github.com/invariantlabs-ai/mcp-scan)** (June 24, 2025). Invariant Labs built [mcp-scan](https://github.com/invariantlabs-ai/mcp-scan) (1,525 stars, mirrored at [snyk/agent-scan](https://github.com/snyk/agent-scan)) and coined the attack vocabulary the entire category uses: "tool poisoning," "MCP rug pulls," "cross-origin escalation." Snyk is the dominant player in software supply chain security (npm audit, pip audit, Docker image scanning). They do not make speculative acquisitions. **Acquisition 2: [Docker acquired MCP-Defender](https://github.com/MCP-Defender/MCP-Defender)** (September 5, 2025). Docker is container infrastructure, not an AI company. Acquiring a runtime MCP security tool means they classify MCP security as container-equivalent enterprise infrastructure. The post-acquisition Docker MCP Gateway adds container-native network isolation and programmable interceptors -- a fundamentally different architecture than hook-based tools. **Three confirmed real-world incidents prove the threat model is not theoretical:** 1. **WhatsApp exfiltration** ([Invariant Labs, 2025](https://github.com/invariantlabs-ai/mcp-scan)): A malicious MCP server combined with legitimate whatsapp-mcp silently exfiltrated entire WhatsApp message history via tool poisoning. The malicious server's tool description contained injection instructions executed when the agent processed the combined tool context. 2. **Postmark npm impersonation** (September 2025): Package impersonating Postmark's email service functioned as a legitimate MCP server but BCC'd every sent email to an attacker address. Indistinguishable from the legitimate package at install time. 3. **Smithery supply chain attack** (October 2025): Affected 3,000+ hosted applications and their API tokens. A single compromised server in the hosted MCP registry propagated to all consumers. **The three-layer defense architecture is now stable**, with 7+ tools across three organizational tiers: | Layer | Function | Tools | |-------|----------|-------| | Package audit (pre-install) | Scan before installing | [agentaudit-mcp](https://github.com/starbuck100/agentaudit-mcp), [MCPSafetyScanner](https://github.com/johnhalloran321/mcpSafetyScanner) | | Runtime defense (execution) | Hook or proxy tool calls | [cc-safety-net](https://github.com/kenryu42/cc-safety-net) (1,058 stars), [agentguard](https://github.com/GoPlusSecurity/agentguard) (177 stars), [MCP-Defender/Docker](https://github.com/MCP-Defender/MCP-Defender) (245 stars) | | Server integrity (live server) | Scan running servers | [mcp-scan](https://github.com/invariantlabs-ai/mcp-scan) (1,525 stars), [Cisco mcp-scanner](https://github.com/cisco-ai-defense/mcp-scanner) (807 stars), [ramparts](https://github.com/highflame-ai/ramparts) (83 stars) | **The remaining gap: mid-session rug-pull detection.** mcp-scan's tool pinning hashes tool descriptions on first scan and alerts on changes between sessions. This partially closes the rug-pull attack class. But a server that changes behavior within a single conversation -- mutating tool implementations after capability listing -- is not detected by any current tool. Closing this requires stateful monitoring of the delta between listed capabilities and actual behavior in real time. **MCPTox benchmark** ([research](https://github.com/johnhalloran321/mcpSafetyScanner), arXiv:2504.03767) tested 20 LLMs against 45 MCP servers with 353 tools. o1-mini: 72.8% attack success rate. Claude 3.7-Sonnet: lowest attack rate but still measurable. No model is immune to MCP-layer attacks. ## What to do instead 1. **Pre-install scan.** Run `mcp-scan` or `agentaudit scan ` against any MCP server before adding it to your config. Treat it like `npm audit`. 2. **Runtime hooks.** Install [cc-safety-net](https://github.com/kenryu42/cc-safety-net) as a `PreToolUse(Bash)` hook for destructive command blocking. Add [agentguard](https://github.com/GoPlusSecurity/agentguard) for Write/Edit coverage and the 24-rule static scanner. Caveat: cc-safety-net over-fires on legitimate `git restore` in multi-branch workflows -- add allow entries if needed. 3. **Server integrity scanning.** For production deployments, add [ramparts](https://github.com/highflame-ai/ramparts) or [Cisco mcp-scanner](https://github.com/cisco-ai-defense/mcp-scanner) to CI/CD to scan live servers. 4. **Rug-pull monitoring.** Run `mcp-scan` periodically to detect between-session tool description changes. Accept that mid-session mutation is currently unmonitored. 5. **Architectural posture.** Treat all MCP tool responses as untrusted input. Read-only posture for autonomous agents. Bound `maxTurns`. Do not expose filesystem write access to untrusted MCP servers. ## Environments tested | Tool | Version | Result | |------|---------|--------| | [invariantlabs-ai/mcp-scan](https://github.com/invariantlabs-ai/mcp-scan) | latest (Feb 2026) | source-reviewed: tool pinning detects between-session description changes | | [kenryu42/cc-safety-net](https://github.com/kenryu42/cc-safety-net) | latest (Feb 2026) | source-reviewed: PreToolUse(Bash) hook blocks destructive commands; false positives on git restore | | [GoPlusSecurity/agentguard](https://github.com/GoPlusSecurity/agentguard) | v1.0.4 (Feb 2026) | source-reviewed: Write/Edit hook coverage + 24-rule static scanner confirmed | | [cisco-ai-defense/mcp-scanner](https://github.com/cisco-ai-defense/mcp-scanner) | v4.2.0 (Feb 2026) | source-reviewed: YARA + LLM-as-judge scanning of live MCP servers | | [MCP-Defender/MCP-Defender](https://github.com/MCP-Defender/MCP-Defender) | latest (Feb 2026) | independently-confirmed: acquired by Docker; proxy-based runtime interception | | [highflame-ai/ramparts](https://github.com/highflame-ai/ramparts) | latest (Feb 2026) | source-reviewed: Rust scanner with cross-origin analysis | | [sidhpurwala-huzaifa/mcp-security-scanner](https://github.com/sidhpurwala-huzaifa/mcp-security-scanner) | latest (Feb 2026) | source-reviewed: 7-mode pentest server = most complete public MCP attack taxonomy | ## Confidence and gaps **Confidence:** source-reviewed + independently-confirmed -- 7 tools reviewed with source code analysis, 3 real-world incidents documented via public disclosures, 2 enterprise acquisitions independently confirm the category. [GHSA-65hm-pwj5-73pw](https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw) confirms the broader MCP security attack surface. MCPTox benchmark (arXiv:2504.03767) independently confirms no model is immune. No tools were executed in a test environment; all evidence is from source code review and public records. **Falsification criterion:** This claim would be disproved by demonstrating that (1) neither Snyk nor Docker completed the described acquisitions (public records contradict), or (2) a tool exists that detects mid-session MCP tool description mutations in real time (searched GitHub for "mcp runtime monitor", "mcp session integrity", "mcp rug pull detect" in Feb 2026 -- no results with active development). **Open questions:** Will any tool implement mid-session rug-pull detection (stateful capability monitoring)? Will OWASP MCP Top 10 become the governance standard? Has Docker MCP Gateway shipped outside enterprise preview? Is there a CVE-like shared database for MCP-specific vulnerabilities beyond agentaudit.dev? Seen different? [Contribute your evidence](https://theorydelta.com/contribute/) -- theory delta is what makes this knowledge base work.