Your team plugged a dozen MCP servers into your AI agents last month. GitHub, Slack, Jira, maybe a database or two. MCP — Model Context Protocol — is like a universal USB port for AI tools: plug in a server, and your AI agent can file tickets, send messages, query data. It just works. Feels like magic.

But did anyone check who maintains those servers? When the code was last updated? Whether a single human ever audited it? Probably not — because MCP made connecting tools feel as easy as installing a browser extension.

The House Is on Fire

In the first two weeks of April 2026, the magic stopped working.

On April 11, researchers disclosed CVE-2026-5058 — a command injection flaw in the AWS MCP server scoring CVSS 9.8. On April 3, Microsoft's Azure DevOps MCP server got CVE-2026-32211 — CVSS 9.1, zero authentication on a server handling enterprise development infrastructure. Two trillion-dollar companies, two servers your agents probably connect to, both wide open. The details matter less than the pattern: if AWS and Microsoft can't secure their own MCP servers, what chance does a solo maintainer's community server have?

No Lockfile, No Safety

The MCP ecosystem now has over 16,000 community-built servers. A Qualys audit published March 20 — weeks before the April CVEs started dropping — already showed the foundation cracking: 53% of servers relied on static secrets — hardcoded passwords that never rotate.

Here's the part that makes this worse than npm — the package manager that JavaScript developers know and dread. npm packages can be version-locked: you pick a version, pin it, and a malicious update won't touch you until you choose to upgrade. MCP servers running via SSE (Server-Sent Events — a way for a server to push live updates to your app) are live services. When the maintainer pushes code, every connected agent gets the new behavior instantly. No lockfile. No review. No consent.

A tool schema — the contract that tells your AI agent what a server can do — can change silently overnight. There's no checksum. No diff notification. No package-lock.json equivalent. Your agent asked for "read access to GitHub issues" on Monday; by Thursday the same server could request "write access to all repositories," and your agent would comply because it trusts the server identity, not the permission set.

If that sounds like handing someone a key to your house and trusting they'll never change the locks on you — yeah, that's roughly it.

475 Malicious Pull Requests in 26 Hours

The proof arrived on April 4. Wiz Research published the prt-scan campaign: one attacker, six fake GitHub accounts, 475 malicious pull requests — code change proposals — fired at agent tool repos in a single day. The payloads stole AWS keys, GitHub tokens, Cloudflare API tokens. The attacker compromised at least two npm packages across 106 published versions. Wiz described the approach as "automation, not understanding" — elaborate multi-phase payloads from someone who didn't fully grasp GitHub's security model but still managed to do real damage.

Then on April 16, CVE-2026-33032 dropped: MCPwn, a CVSS 9.8 auth bypass in nginx-ui's MCP integration, actively exploited across 2,600 exposed instances in 50+ countries. The fix? Twenty-seven characters of code — adding one middleware call. Security researcher Yotam Perkal put it perfectly: "When you bolt MCP onto an existing application, the MCP endpoints inherit the application's full capabilities but not necessarily its security controls."

Twenty-seven characters stood between 2,600 servers and total compromise. Let that sink in.

Where's the Safety Net?

Nobody has built npm audit for MCP yet. No ecosystem-wide vulnerability scanning. No dependency lockfiles for tool schemas. The official MCP Registry uses namespace authentication tied to GitHub accounts, but there's no mandatory code audit, no maintainer verification beyond proving you own a domain. Tools like mcp-scan exist, but adoption is microscopic compared to what the ecosystem needs.

Meanwhile, enterprises wire these servers into production agent workflows — autonomous AI systems that file tickets, push code, and query databases without a human clicking "approve" each time. Qualys calls MCP servers "the new Shadow IT": they hide behind localhost, random ports, and IDE plugins, invisible to every traditional security tool.

What You Should Actually Do

Before connecting another community MCP server to your production agents:

  • Check the maintainer count. One person = one bus factor. If they get bored, you inherit their security debt.
  • Verify the last commit date. Abandoned code doesn't get patched.
  • Read the tool descriptions. Prompt injection — tricking AI into doing unintended things — hides in plain text, including in server metadata.
  • Pin a known-good version locally. Run MCP servers from a local copy you've reviewed, not from a live remote endpoint.
  • Have a replacement plan. When the server disappears — not if — you need to swap it without breaking your agents.

The Clock Is Ticking

npm took 15 years to learn that open-source supply chains need governance — from left-pad breaking half the internet in 2016 to event-stream stealing cryptocurrency in 2018 to mandatory two-factor auth for maintainers in 2022. MCP is speedrunning the same lesson in 18 months, with higher stakes: these aren't libraries that build your app, they're live services that act as your app.

The first major breach — not a CVE, not a proof of concept, but actual customer data leaving through a compromised MCP server — will determine whether the ecosystem builds security infrastructure or just keeps building more servers.

My money's on the servers.