Pipeline Active
Last: 21:00 UTC|Next: 03:00 UTC
← Back to Insights

MCP's SolarWinds Moment -- 97M Downloads, 3 RCE CVEs, and 1 Supply Chain Attack in the Same Month

Model Context Protocol reached undeniable infrastructure status (97M SDK downloads, Linux Foundation governance) while simultaneously suffering the first wild supply chain attack and three critical RCE vulnerabilities. Enterprise AI agent adoption at 40% by EOY creates a systemic vulnerability where the protocol enabling agent utility is also enabling agent exploitation.

TL;DRNeutral
  • MCP achieved 97M monthly SDK downloads (970x growth since November 2024) and Linux Foundation governance in February 2026
  • Three critical CVEs (CVE-2025-68145, CVE-2025-68143, CVE-2025-68144) in Anthropic's own Git MCP server enable RCE via prompt injection
  • First wild MCP supply chain attack: malicious 'postmark-mcp' npm package harvesting AI agent emails
  • Gartner projects 40% enterprise application AI agent integration by EOY 2026 (from <5%)
  • OWASP MCP Top 10 published February 13 signals compliance mandates expected in 12-18 months
mcpsecuritysupply-chainenterpriseagent5 min readFeb 17, 2026

Key Takeaways

  • MCP achieved 97M monthly SDK downloads (970x growth since November 2024) and Linux Foundation governance in February 2026
  • Three critical CVEs (CVE-2025-68145, CVE-2025-68143, CVE-2025-68144) in Anthropic's own Git MCP server enable RCE via prompt injection
  • First wild MCP supply chain attack: malicious 'postmark-mcp' npm package harvesting AI agent emails
  • Gartner projects 40% enterprise application AI agent integration by EOY 2026 (from <5%)
  • OWASP MCP Top 10 published February 13 signals compliance mandates expected in 12-18 months

The Pattern: Infrastructure Growth Precedes Security Maturity

The MCP ecosystem in February 2026 exhibits a pattern security researchers have seen three times before: npm packages (2018-2019), Docker containers (2020-2021), and Kubernetes misconfigurations (2021-2022). Each time, a new infrastructure primitive was adopted faster than its security model could mature.

MCP's timeline is compressed -- 15 months from launch to 97M monthly downloads -- making the security gap more acute.

The Unstoppable Adoption Side

MCP has achieved the network effects that make a protocol irreversible. Every major AI platform has adopted it: ChatGPT, Gemini, Microsoft Copilot, Cursor, VS Code. The ecosystem metrics are extraordinary:

  • 97M+ monthly SDK downloads (from 100K in November 2024 -- a 970x increase)
  • 5,800+ available servers
  • 300+ clients
  • 50+ enterprise partners including Salesforce, ServiceNow, and Workday
  • Organizations report 40-60% faster agent deployment with MCP integrations

Three February events cemented MCP's permanence:

  1. Anthropic donated MCP to the Linux Foundation's AAIF (co-founded with Block and OpenAI), removing vendor lock-in concerns and providing governance legitimacy on par with Linux, Kubernetes, and OpenTelemetry.
  2. Google contributed gRPC transport, addressing the ~60% of enterprises running gRPC microservice infrastructure. Binary Protocol Buffers serialization offers 5-10x smaller payloads than JSON.
  3. ChatGPT, Gemini, and Copilot all now support MCP tools, meaning the three largest AI platforms funnel developers toward MCP as the default integration protocol.

The Structural Security Vulnerabilities

Supply Chain Attack (postmark-mcp)

The first confirmed wild MCP supply chain attack was discovered in February 2026 -- a malicious npm package ('postmark-mcp') posing as a legitimate email tool, with an embedded backdoor harvesting emails from AI agents. This mirrors the npm ecosystem's 'event-stream' moment (2018): the attack exploited developer trust in package registries.

The attack specificity (harvesting emails from agents) is concerning because it demonstrates attackers understand MCP tool permissions architecture.

Three CVEs in Official Servers

CVE-2025-68145, CVE-2025-68143, and CVE-2025-68144 -- all in Anthropic's own Git MCP server -- enable remote code execution via prompt injection. These vulnerabilities collectively demonstrate that even the protocol creator shipped vulnerable reference implementations:

  • Path validation bypass
  • Unrestricted git_init
  • Argument injection

Microsoft's MarkItDown MCP server also had an SSRF vulnerability via prompt injection.

Credential Storage in Plaintext

AI agent credential files are stored in plaintext Markdown/JSON on local machines -- harvestable by commodity infostealers (RedLine, Lumma, Vidar). There is no standard for encrypted credential storage in MCP configurations.

The 'Rug Pull' Vector

Legitimate MCP server deployed, auto-update trust established, then backdoored version pushed. Agents automatically upgrade to compromised version. This attack model mirrors software supply chain attacks seen in development tools and package managers.

The Privilege Elevation Problem

The MCP security problem is more severe than prior infrastructure vulnerabilities because of privilege elevation. An npm package with a backdoor can steal credentials. An MCP server with a backdoor can:

  • Read and write emails (postmark-mcp demonstrated this)
  • Execute code via connected IDEs (Codex Spark + MCP)
  • Access file systems and databases via tool permissions
  • Operate as the agent's identity with inherited permissions across all connected tools

The Shai-Hulud 2.0 campaign context amplifies the concern: 33,185 unique secrets exposed across 20,649 repositories, with 3,760 credentials still valid days after discovery. The self-sustaining worm mechanism (stolen NPM tokens backdoor victim packages, infecting downstream users) could propagate through MCP server dependencies.

Security as Enterprise Adoption Bottleneck

The OWASP MCP Top 10, published February 13, 2026, signals that the security community is formalizing the threat model. This typically precedes compliance mandates by 12-18 months.

For regulated enterprises (finance, healthcare, government), this timeline creates a dilemma: adopt MCP now for competitive advantage but accept unquantified security risk, or wait 12-18 months for hardened tooling and compliance frameworks.

The gRPC transport, while solving an integration friction, also introduces a new attack surface: binary Protocol Buffer serialization can carry payloads that JSON parsers would reject. Type safety at the protocol level does not prevent semantic attacks at the tool level.

MCP and Biometric Data: A Regulatory Flashpoint

Tavus Raven-1's emotional intelligence layer (real-time audio-visual perception with emotional state tracking) introduces a particularly sensitive data category into the MCP ecosystem. If Raven-1's emotional state data flows through MCP tool connections, compromised MCP servers could harvest biometric and emotional data -- a category with explicit regulatory protections under the EU AI Act's biometric classification provisions.

This creates a compounding risk: biometric data (emotional intelligence) flowing through standardized protocols (MCP) exposed to supply chain attacks creates regulatory exposure that extends beyond typical data breach consequences.

What This Means for Practitioners

ML engineers deploying MCP-based agents should immediately:

  1. Audit all installed MCP servers against OWASP MCP Top 10 checklist
  2. Implement least-privilege permission scoping for each MCP server (don't grant file system access if only email tools are needed)
  3. Replace plaintext credential storage with encrypted vault solutions
  4. Pin MCP server versions to prevent auto-update rug pulls
  5. Catalog all AI agents and their MCP-granted permissions (the 'shadow AI agent' inventory problem)

Security teams should: Treat MCP agent identity governance as equivalent priority to IAM for human users. The blast radius of compromised MCP server credentials is potentially higher than compromised user accounts because agents operate with higher privileges and lower visibility.

Enterprise timeline:

  • OWASP MCP Top 10 is available now as a security framework
  • Hardened MCP security products (signing, attestation, runtime monitoring) expected from security vendors within 3-6 months
  • Compliance mandates for regulated industries expected in 12-18 months
  • The 3-6 month window before commercial security tooling matures is the highest-risk period

Competitive Implications

Security vendors: Win. OWASP MCP Top 10 creates a new product market for MCP security posture management, software attestation, and runtime monitoring.

Anthropic: Faces reputational risk from CVEs in their own servers -- but the Linux Foundation governance donation partially mitigates by distributing security responsibility across the ecosystem.

Early enterprise adopters with security governance: Gain competitive advantage. Organizations that adopt MCP with security governance early will be ahead of the 12-18 month curve when compliance mandates arrive.

Share

Related Across Domains

cryptoBearish 🔴

Silicon Custody Crisis: How Android Flaw Is Locking Bitcoin Into Institutional Vaults

securitycustodyhardware-vulnerability
cryptoBearish 🔴

Security Threats Are BlackRock's Best Marketing: How Nation-State Attacks Drive ETF Centralization

securitynation-state-threatetf
cryptoNeutral

DeFi Is Sorting Into Three Security Tiers: Bitcoin Exploit Reveals Permanent Capital Allocation Hierarchy

defisecuritybitcoin-defi