MCP Supply Chain Security & Risks

Since the launch of the model context protocol (MCP) in early 2025, security researchers have identified numerous supply chain security risks in MCP servers. 

Security researchers have identified supply chain risks in small DIY MCP servers and in MCP servers from big-name, trusted vendors such as Asana, Smithery, and GitHub, demonstrating that organizations adopting MCP servers cannot rely on supply-side security. 

Instead, organizations adopting MCP servers need to take steps themselves and use appropriate tooling to secure their adoption and use of MCP servers and agentic AI.

In this blog, I explain the main MCP supply chain security risks and the methods you can use to mitigate them and protect your organization when adopting MCP servers securely.

The Main MCP Supply Chain Risks (and How to Mitigate Them)

Here are the main MCP supply chain security risks and the best ways to mitigate each of them.

Risk 1 Tool Poisoning

Tool poisoning is a form of indirect prompt injection in which a malicious prompt is inserted into the metadata (e.g., the description field) of an MCP tool. The malicious prompt “infects” the AI agent when it reads the tool metadata while discovering the tools and capabilities that the MCP servers it is connected to offer.

Of course, you would never approve a clearly malicious or untrustworthy MCP server for your teams to use. However, a malicious actor – perhaps even an employee – may have inserted malicious prompts into an official and widely used MCP server. 

Malicious prompts are difficult to detect, particularly at scale, even if you consistently and painstakingly review tool metadata. Attackers can inject malicious prompts into elements that only emerge at runtime, such as server-sent error messages to the AI, further reducing detectability. 

Example of advanced tool poisoning, with a malicious prompt hidden in an error/failure message:

Mitigation

Mitigation for tool poisoning comes in two forms: firstly, preventing poisoning of your AIs from happening, and secondly, limiting the damage any poisoned (or manipulated) AI can inflict.

An MCP proxy can scan MCP traffic – including tool metadata – sent from a server to your MCP clients to detect indicators of a harmful prompt, such as the inclusion of an email address, which could indicate a data exfiltration attempt. 

However, malicious prompts are sufficiently varied and concealable enough to make pattern-based detection less than 100% reliable. The same is true for tools to scan MCP servers for security threats.

Therefore, you need a secondary layer of mitigation that focuses on limiting the damage any poisoned AI model can cause and on identifying indicators of rogue AI behavior in your organization.

This layer uses your MCP proxy/gateway to enforce robust permissions and access controls for AI agents and to inspect MCP traffic for sensitive information, including personally identifiable information, credentials, and anything else an attacker might benefit from exfiltrating. 

You can also configure your gateway to fire off an alert when it detects specific types of data. Lastly, verbose, traceable audit logs of all MCP activity enable you to investigate the causes of these alerts, identify the poisonous prompts and their sources, and root them out and remove them.

See the video below to see how this works in action, firstly using regex rules:

Also, this video shows how MCP Manager integrates with tools such as Microsoft Presidio for more advanced detection and less manual configuration compared to regex rules:

In the future, I expect to see additional protection in the form of AI agent monitoring capabilities that provide more comprehensive detection of rogue behavior. 

Risk 2 – Rug Pull/Silent Redefinition Attack

How it works

In an MCP rug pull/silent redefinition attack (also known as Update Poisoning), an attacker adds malicious prompts to the MCP only after your teams have connected to and started using the MCP server. This “rug pull” approach allows the attacker to bypass manual or automated inspections of the MCP server. 

The server is inspected and cleared as safe. Then, using a trigger, such as a set number of requests to the server, the server’s code is updated to include, for example, malicious prompts hidden in tool metadata. Attackers can also hijack the repository of an innocent MCP server and add malicious prompts to its tools’ metadata, sneakily infecting whoever already uses and trusts that server. 

MCP hosts do not automatically detect and scrutinize any changes to an MCP server’s metadata, nor do they notify you –  the user – that they are seeing updated metadata. They simply imbibe whatever the MCP server presents to them.

Mitigation

The most reliable way to mitigate rug pull attacks is to use version pinning. 

Version pinning means using an MCP proxy, gateway, or similar tool to “pin” a version of the MCP server’s metadata, name, tool names, and other properties as the only allowed version. 

When any part of a server’s metadata changes and no longer matches the pinned version, MCP clients will be unable to connect to it, and your gateway’s admin users will receive a notification to review the tool’s metadata.

See how this works in the video below:

Risk 3 – Misconfiguration

Security researchers have found numerous security vulnerabilities in live MCP servers that stem from poor configuration. Key examples of MCP server misconfiguration that are already catalogued include:

• Poor credential, secret, and token storage (e.g., multiple secrets stored in the same .env file, plaintext, or hardcoded into containers)
• Misconfiguration of authorization token handling – for example, scenarios that break the MCP spec and enable “Token Passthrough”)
• Flawed directory containment, which attackers can bypass (e.g., CVE-2025-53110)
• Flawed tenancy isolation
• Network exposure risks – such as binding servers to 0.0.0.0 instead of localhost, which makes them accessible over the internet/network (known as a NeighborJack issue)

Mitigation

MCP server builders are gradually learning from instances of misconfiguration and making responsive patches. However, there are still plenty of security issues with MCP servers, including those widely used and those built by big-name SaaS apps. 

The key to mitigating risks from MCP server misconfiguration is to reduce or eliminate any reliance upon the server and its builders for your security. 

For example, using an MCP gateway like MCP Manager to centralize and harden identity management for all the MCP servers your teams use, including the secure storage and regular rotation of access tokens. 

Platforms such as MCP Manager can deploy your MCP servers in secure formats for you, including using secure containers and tunnels as required, to mitigate risks posed by vendor-side misconfiguration. 

Risk 4 – Excessive Permissions/Lack of Permission Control

MCP servers don’t come with a built-in permissions architecture. Instead, MCP servers enable users or agents to take actions, such as read vs. write, through distinct MCP tools, such as “send_email” or “read_data”.

By default, a team member – and their AI agents – that connects to an MCP server has access to all that server’s tools and capabilities. This can mean that users who aren’t usually allowed to edit records can now do so.

This is less of a true supply chain risk, as it doesn’t emanate from a failure or breach on the MCP server vendor’s end. Instead, it’s simply a quirk of the way MCP servers work. However, you must be aware of this and take measures to control user and agent permissions. 

Mitigation

You can use an MCP gateway to provision specific tool sets to teams and users, thereby controlling the capabilities each user and their agents have access to via MCP servers.

This provides you with precise control over the capabilities users and their AI agents have when they connect to MCP servers via your MCP gateway. 

Provisioning a gateway in MCP Manager – note that in the second screen, only read/get/search tools are allowed for this gateway, preventing this set of users/agents from editing or creating database items in Notion:

Key Steps to Guard Against MCP Supply Chain Security Risks

MCP supply chain risks do not need to prevent, pause, or derail your AI initiatives. Using the right tools and approaches, you can mitigate MCP supply chain security risks and the wider array of MCP-based attack vectors.

Here are the main steps you can take:

1. Have a clear organizational policy for MCP server use, which includes a process for requesting, assessing, and approving or blocking MCP servers. These policies and processes should incorporate the tools you will use – such as an MCP gateway – to allow your organization to maintain control, observability, and security over its MCP ecosystem.
2. Select and use an MCP gateway to create a central security and control plane for all your organization’s MCP server usage. An MCP gateway enables you to:
   • Deploy and provision MCP servers to your teams in secure formats
   • Centralize and maintain consistency over identity and credential management
   • Control which servers and tools are allowed and blocked at an organizational level
   • Control access to servers and tools (and therein capabilities) at a team/user/role level
   • Apply security policies, safeguards, and guardrails at runtime
   • “Pin” tool metadata to prevent rugpull attacks (also known as update poisoning or silent redefinition)
   • Generate verbose, fully traceable audit logs of all MCP traffic
   • Receive alerts for suspicious MCP-based data flows and activity
3. Configure your MCP gateway to detect sensitive data in MCP data flows (including PII and credentials) and make appropriate modifications, redactions, or fully block MCP messages containing such data. This is essential to maintain data security and privacy.
4. Considering integrating your MCP gateway with any existing single sign-on (SAML SSO), system for cross-domain identity management (SCIM), identity provider (IdP), and security information and event management system, to solidify your gateway’s access management and security auditing capabilities.
5. Provide specific AI and MCP security training for all teams using MCP servers
6. Wherever possible, use existing network monitoring tools to identify and alert your IT team to MCP traffic signals. This can help you detect and stop “shadow MCP” – usage of MCP servers that is unauthorized and/or outside of your MCP gateway.

Start Scalable, Secure, Successful MCP Adoption With an MCP Gateway

An MCP gateway is the core component of any organization’s MCP ecosystem. It is the central node through which you deploy, provision, manage, monitor, and crucially, secure your MCP servers. 

Without an MCP gateway, MCP deployments are a mess, with dispersed connections, no visibility over traffic and activity, and no way to protect your organization against MCP and AI-borne security risks and threats. 

Even before security and observability become a factor, organizations that try to deploy MCP servers at scale without the packaging and infrastructure that MCP gateways provide typically struggle to get their chosen servers into production and ready for their teams to use.

Adopt and use MCP servers securely with MCP Manager to get your ROI from AI faster. Start for free here.

James Taylor

James Taylor

Senior Digital Marketing Manager

James Taylor is Visor's Senior Digital Marketing Manager. Originally from the UK, he has 8+ years experience writing about all things software and technology, project management and organizational processes. When he's not working you'll find him hiking a hill, attempting to cook ambitious recipes, or gorging on hours of history podcasts and documentaries.