Home » Editorial Calendar » AppSec » 973 MCP Packages, 71% Single-Maintainer: A Practitioner’s Guide to AI Developer Security

973 MCP Packages, 71% Single-Maintainer: A Practitioner’s Guide to AI Developer Security

by Jacob Krell on June 17, 2026

At a Glance

AI security tooling adoption lags behind AI coding tool adoption by an order of magnitude. Download ratios: 10:1 on PyPI, 28:1 on npm.
AI-generated code ships vulnerable at baseline. 45% failure rate across 150+ LLMs. 55.8% provable vulnerability rate in formal verification across 7 models. No model scored better than a D.
The MCP ecosystem has early-npm-era supply chain maturity. 973 packages on npm, 71% single-maintainer, 56% published in the last 30 days, 25% with no source repo. 9 of 11 MCP registries failed to detect malicious uploads.
MCP config files are a credential exposure vector. 24,008 secrets found on public GitHub, 2,117 confirmed live.The WAVESHAPER campaign proved attackers already enumerate these files.
Prompt injection is accelerating through the CVE pipeline. 133 CVEs in NVD, 78% rated CRITICAL or HIGH. The pace went from 3 in 2023 to 51 in 2025, with every major AI coding tool affected.

For every security tool download on npm, there are 28 AI coding tool downloads. On PyPI, the ratio is 10:1. Ninety percent of developers now use AI coding tools at work, and the security tooling for those workflows is not scaling at the same rate.

Three attack surfaces account for most of the risk: the code AI generates, the credentials developers feed it, and the context window itself. Each has specific, deployable controls. Most teams have implemented none of them.

adoption_vs_governance_gap

The Code AI Writes

The most discussed risk is the most measurable. Veracode’s Spring 2026 GenAI Code Security Report tested over 150 LLMs across security-sensitive coding tasks. 45% of AI-generated code contained known security vulnerabilities. That number has not improved since their first 2025 report.

Cross-site scripting failures hit 86%. Log injection hit 88%. These are OWASP Top 10 staples, not edge cases.

A formal verification study published in April 2026 put the number higher: 55.8% of artifacts contained at least one provable vulnerability. GPT-4o scored worst at 62.4%. Gemini 2.5 Flash scored best at 48.4%. No model achieved better than a D grade.

Models identify their own vulnerable outputs 78.7% of the time when asked to review. They still generate those same flaws at 55.8% by default. The generation-review asymmetry means code review by the same model that wrote the code catches less than you would expect.

The Controls:

Run SAST on every commit, not just at PR time. With 41% of commercial code now AI-generated, scan-on-merge is too late. Tools like Semgrep, CodeQL, and Snyk integrate directly into IDE workflows and CI pipelines. The goal is catching the 45% before it reaches a branch, not after it reaches production.

Treat AI output the way you treat third-party library code: untrusted by default. Code review processes should flag AI-generated changes for security-focused review, particularly for auth logic, cryptographic implementations, and input handling. The Armis Trusted Vibing Benchmark found universal blind spots across all 18 models tested: memory buffer overflows, file upload handling, login systems, and deserialization all failed 100% of the time.

The MCP Supply Chain and Credential Exposure

The npm registry now contains 973 packages with “mcp” in the name. 71% have a single maintainer. 56% were published in the last 30 days. 25% have no linked source repository.

Average package age: 98 days. This ecosystem went from zero to nearly a thousand packages in under 18 months, and more than half of it materialized in the last month alone.

mcp_ecosystem_maturity

Every one of those packages can execute operating system commands when installed as an MCP server. The STDIO transport, which is the default, passes configuration parameters directly into OS command execution without validation. Anthropic has called this expected behavior. OX Security tested 11 major MCP registries and found that 9 accepted malicious server uploads without detection.

MCP config files store API keys, database credentials, and OAuth tokens in plaintext JSON. GitGuardian’s 2026 State of Secrets Sprawl report found 24,008 unique secrets in MCP config files on public GitHub. 2,117 were confirmed live at the time of scanning.

Commits co-authored by AI coding tools leaked secrets at twice the baseline rate across all of public GitHub. 28.6 million total secrets were detected on GitHub in 2025, a 34% year-over-year increase.

mcp_attack_surface

On March 31, 2026, the North Korean group UNC1069 hijacked the real `axios` npm package and deployed the WAVESHAPER.V2 backdoor to developer machines across Windows, macOS, and Linux . Lorikeet Security’s analysis of the campaign found that the malware enumerated MCP configuration files for Claude Code, Cursor, Windsurf, and VS Code Continue, injecting rogue server definitions that turned the AI assistant into an exfiltration channel.

How to lock this down:

Never store plaintext credentials in MCP config files. Use environment variable references (`env:` blocks) or vault-based injection via 1Password CLI, HashiCorp Vault, or AWS Secrets Manager. The config file should contain a reference, never the secret.

Add `.cursor/mcp.json`, `.claude.json`, `claude_desktop_config.json`, and `.mcp.json` to your `.gitignore`. Enable GitHub Secret Scanning and Push Protection on every repository. GitHub’s MCP Server has supported secret scanning since March 2026.

Audit developer machines for unexpected MCP server entries. The WAVESHAPER campaign proved that attackers target these files specifically. If a developer cannot explain why a server entry exists, remove it.

Pin MCP server packages to specific versions and audit before upgrading. With 71% of MCP packages maintained by a single person and over half the ecosystem less than 30 days old, the supply chain maturity of this ecosystem resembles early npm circa 2015. Treat new MCP server installations the way you would treat a new third-party dependency: review the source, check the maintainer, and scope its permissions.

The Context Window as Attack Surface

Prompt injection against AI coding assistants has moved from research papers to production CVEs. The NVD now contains 133 CVEs mentioning “prompt injection,” with 78% rated CRITICAL or HIGH. The year-over-year acceleration is steep: 3 CVEs in 2023, 19 in 2024, 51 in 2025, and 16 in the first five months of 2026.

prompt_injection_cves_by_year

Every major AI coding tool has been hit:

Tool	CVE	CVSS	Attack Vector
GitHub Copilot	CVE-2025-53773	7.8	Malicious code comments modify VS Code settings, bypass approval, achieve RCE
Cursor IDE	CVE-2026-22708	9.8	Shell built-in bypass (part of a 3-CVE chain with git hook escape + TOCTOU race)
Claude Code	CVE-2025-55284	—	DNS exfiltration encoding stolen data in subdomain lookups
Cursor IDE	CVE-2025-54135	9.8	Indirect prompt injection in repo files creates malicious .cursor/mcp.json, achieves RCE
AWS Kiro	—	—	Poisoned spec files trigger code generation and execution without user request
Google Jules	—	—	Unrestricted outbound connectivity allows full credential harvesting

The attack pattern across all of these is the same. An attacker embeds hidden instructions in content the AI processes automatically: a README, a GitHub issue, a code comment, a dependency’s documentation. The AI reads it, follows the instructions, and acts using whatever permissions the developer granted. Industry audit data widely cited by OWASP practitioners puts the rate at 73% of production AI deployments containing prompt injection vulnerabilities.

Reducing the blast radius:

Restrict AI agent permissions to the minimum needed. If the assistant does not need shell access for a task, disable it. Cursor, Claude Code, and Copilot all have configuration options to limit tool access. Review which tools and capabilities your AI assistant has enabled, and disable anything not actively required.

Be cautious with untrusted repositories. Opening a cloned repo in an AI-enabled IDE is now an attack vector. The CurXecute vulnerability (CVE-2025-54135, CVSS 9.8) allowed arbitrary command execution when the AI processed content from a poisoned repository. Treat unfamiliar repositories the way you treat unfamiliar email attachments: open in a sandboxed environment first.

Keep AI tools updated. The CVE cadence for coding assistants now rivals that of web browsers. Cursor, Copilot, and Claude Code have all shipped critical patches in 2026. Auto-update where possible, and build update checks into your regular patching cycle.

Use context restriction files. Cursor supports `.cursorignore` to exclude sensitive files and directories from AI context (indexing, tab completion, agent reads). One caveat: terminal commands run by the agent can bypass `.cursorignore`, so pair it with restrictive auto-run settings. For sensitive projects, add `.env`, credentials files, and key material to `.cursorignore` as a baseline. Claude Code supports `.claude/settings.json` with `deny` patterns for similar per-project restrictions.

Monitor outbound traffic from IDE processes. The Claude Code DNS exfiltration attack (CVE-2025-55284) worked because DNS lookups from a coding tool look like normal name resolution. Network monitoring that baselines IDE process behavior and flags anomalous destinations is the detection layer most teams are missing. EDR tools that track process-level DNS activity can catch this if configured to watch IDE binaries.

What Comes Next

AI coding assistants are gaining the ability to create branches, open PRs, deploy to staging, and access production databases. Each new capability is a permission that prompt injection can hijack. The 133 prompt injection CVEs filed so far are the early returns on an expanding attack surface.

Security teams that wait for vendors to solve this will be waiting through the vulnerability curve. The controls in this guide work with tools available today. The gap between AI adoption and AI security governance is 10:1 on PyPI and 28:1 on npm. Closing it starts with treating AI developer tooling as attack surface.