MCP Supply Chain Security: Why Your Agent's Tool Ecosystem Is the Next Attack Surface
In February 2026, the supply chain threat model arrived in AI agent infrastructure all at once. Check Point Research disclosed remote code execution in Claude Code through poisoned repository config files. Trend Micro found 492 MCP servers exposed to the internet with zero authentication. Antiy CERT confirmed 1,184 malicious skills on ClawHub, the marketplace for the OpenClaw AI agent framework. And the Pentagon designated Anthropic a "supply chain risk" — the first time an American AI company received that classification.
The connective tissue across every incident: the Model Context Protocol (MCP).
MCP is the open standard that lets AI agents connect to external tools, data sources, and services. It was built for capability first. Authentication, authorization, and sandboxing were left to the implementer. Most implementers skipped all three.
How We Got Here
MCP adoption has been aggressive. Microsoft, OpenAI, Google, Amazon, GitHub Copilot, VS Code, and Cursor all support it. Community registries like Glama and mcpservers.org list thousands of servers. Developers connect MCP servers to their agents the same way they install npm packages — quickly, often without review, trusting that the ecosystem is safe.
It isn't.
The pattern is familiar to anyone who lived through the early days of npm, PyPI, or Docker Hub: a new integration protocol launches, the first deployments prioritize "does it work" over "is it secure," and attackers follow the adoption curve. MCP has followed the same trajectory, except the attack surface is broader because the AI model itself can be manipulated through the content it processes.
According to GreyNoise honeypot data, 60% of attack traffic targeting LLM endpoints had shifted to MCP endpoint reconnaissance by January 2026. Attackers understand the new surface. The question is whether defenders do.
The Real Attacks That Define the Threat Model
Claude Code RCE via Repository Config (CVE-2025-59536)
Check Point Research disclosed two configuration injection flaws in February 2026. The first exploits Hooks — a Claude Code feature that runs predefined shell commands at lifecycle events. By injecting a malicious Hook into a repository's .claude/settings.json file, an attacker gains remote code execution the moment a developer opens the project. The command runs before the trust dialog appears.
The second flaw targets MCP consent bypass: repository-controlled settings in .mcp.json could auto-approve tool connections without user interaction. Between them, an attacker only needed to plant a poisoned config file in a repository — something that happens through compromised dependencies, malicious PRs, or social engineering.
Anthropic Git MCP Server Exploit Chain (CVE-2025-68143/144/145)
Three prompt injection vulnerabilities in Anthropic's own Git MCP server. An attacker only needed to influence what the AI assistant reads — a malicious README, a poisoned issue description — to trigger code execution or data exfiltration. The agent read the content in the course of legitimate work and executed the embedded instructions with no indication to the operator.
ClawHavoc: 1,184 Malicious Skills
The ClawHub marketplace for OpenClaw agent skills carried 1,184 confirmed malicious packages at its peak — roughly 1 in 5 packages in the ecosystem. Nine CVEs were issued, three with public exploit code. The malicious skills could read credentials, exfiltrate data, and execute arbitrary commands, all while appearing to provide legitimate functionality.
MCP Server Internet Exposure
Trend Micro's February 2026 scan found 492 MCP servers directly exposed to the public internet with zero authentication. SecurityScorecard identified over 21,000 exposed OpenClaw instances. These aren't theoretical risks — they are live attack surfaces, discoverable through routine scanning.
Azure DevOps MCP Authentication Bypass (CVE-2026-32211, CVSS 9.1)
April 2026: API keys and access tokens in Azure DevOps MCP server were accessible without credentials. An agent connected to this server could read tokens that granted access to entire DevOps environments.
The Lethal Trifecta
Security researcher Simon Willison identified the core architectural vulnerability of agent systems and named it the lethal trifecta. When an AI agent has all three of these characteristics simultaneously, it is exploitable by design:
- Access to private data — files, API keys, databases, internal systems
- Processes untrusted content — user inputs, third-party tool outputs, registry packages, web content
- Can communicate externally — network requests, messages, data writes to remote endpoints
Most deployed MCP agents have all three. That's the point. Agents are useful precisely because they access your data, process diverse inputs, and take actions on your behalf. The utility is the vulnerability.
Practical MCP Security: What to Do Now
1. Scan for Exposed MCP Endpoints
Query for /mcp and /sse paths across your network. Check for 0.0.0.0 bindings. Snyk's mcp-scan tool covers both MCP servers and agent skills. If an MCP server is reachable from the public internet without authentication, assume it has already been discovered.
2. Rotate Credentials in Agent Config Files
API keys in ~/.clawdbot/.env, ~/.openclaw/credentials/, .claude/settings.json, or any plaintext agent configuration file should be treated as potentially compromised and rotated now. Credential placeholders — where the agent references ${credentials.KEY} and the runtime resolves the value at the tool boundary — eliminate this entire class of exposure.
In Facio (the HITL-first agent runtime), credentials are stored in a dedicated credential store. The agent never sees the raw value — only a placeholder. This means a compromised agent cannot exfiltrate secrets directly through its own tool calls.
3. Pin and Review MCP Server Versions
Add MCP server configuration paths to your code review process. Block auto-approval settings. Review what each connected server exposes before enabling it. A server that claims to provide "file search" should not also be able to execute shell commands.
4. Restrict Enabled Tools
Facio supports enabled_tools — an explicit allowlist of which server tools an agent can actually call. Even if a malicious MCP server registers dangerous tools, the runtime blocks the agent from invoking them. This is defense-in-depth at the tool boundary: the MCP server might be compromised, but the agent can only call the subset of tools you've explicitly permitted.
5. Run MCP Servers in Sandboxes
Containerize every MCP server with minimal permissions: --read-only filesystem, --network=none (unless the server genuinely needs network access), --cap-drop=ALL. The Docker sandbox limits blast radius even when a server is compromised.
6. Add AI Agents to Your Threat Model
Map which workflows depend on which AI providers and MCP servers. This is a continuous threat exposure management question, not a one-time audit. Every new MCP server you connect expands your attack surface. Treat each one as a new third-party dependency — because it is.
The Architectural Fix: Runtime-Level Enforcement
The recurring theme across every MCP security incident is that the agent runtime is the only layer that sees every tool call, every credential resolution, and every state transition. This makes the runtime the natural enforcement point for security policy.
| Control | Where It Lives | What It Prevents |
|---|---|---|
| Tool allowlisting | Runtime (enabled_tools) | Malicious tool invocation |
| Credential placeholder resolution | Runtime (credential store) | Secret exfiltration through agent output |
| Sandboxed MCP execution | Runtime (container orchestration) | Host compromise via compromised server |
| Audit logging | Runtime (immutable event log) | Undetected supply chain activity |
| Approval gates | Runtime → HITL inbox | Unreviewed high-risk tool calls |
Facio provides layers 1, 2, 4, and 5 out of the box. Paired with Placet.io — the HITL inbox and messenger — the stack creates a complete audit and approval pipeline: the agent can only use tools you've approved, can't read credentials it shouldn't have, logs every action immutably, and requires human approval before any high-risk operation.
Key Takeaways
- MCP is a supply chain. Every connected server is a third-party dependency with access to your agent's execution context. Treat it with the same scrutiny as any software dependency.
- The lethal trifecta is real. Private data + untrusted content + external communication = exploitable by design. Break any one of the three and the attack fails.
- Runtime enforcement is your best defense. Tool allowlisting, credential boundaries, and sandboxing must live at the runtime layer — not in the prompt, not in the model.
- Scan, rotate, pin, and restrict. The five immediate actions are all operational, not architectural. You can implement them today.
- February 2026 was the wake-up call. The next incident won't be a surprise. The attack surface is understood. The question is whether you defend it before or after you're hit.
Sources: CyberDesserts — AI Agent Security Risks 2026, Check Point Research — Claude Code RCE, Trend Micro — MCP Server Exposure, OWASP Agentic AI Top 10, Simon Willison — The Lethal Trifecta