It's Not 23 Malicious MCP Packages. It's 122 — and the Worst Ones Are Postman, Zapier, and Red Hat's Real Servers.
- Patrick Duggan
- 1m
- 3 min read
Yesterday we wired OSV's catalog of known-malicious PyPI packages into our index and found 24 of them squatting the Model Context Protocol ecosystem — the tools AI agents call. This morning we turned on the npm half: a 207MB ZIP64 export, about 214,000 named-malicious advisories. Then we did the unglamorous part — we pulled every MCP-named entry out of both ecosystems and took it apart, package by package, against each one's real registry history and OSV advisory.
The clean number is 122 MCP-named packages flagged malicious by OSV — 24 on PyPI, 98 on npm. But a raw count is the wrong unit, and the names matter more than the total. Here's what's actually in the pile.
Most of the npm side is throwaway fakes — but that's not the scary part
About 52 of the 98 npm entries are throwaway impostors: packages with one or two published versions, no maintainer history, the kind of disposable bait that exists to be mistaken for something real. Add another 9 that are researcher noise — canary tokens, PoC stubs, test artifacts npm has already replaced with 0.0.1-security placeholders. Strip those and you've got the part worth your attention.
Because roughly two dozen of these are not fakes at all. They are real, maintained, name-brand MCP servers — and a specific version of each was poisoned.
The roster you don't want to see
These are genuine packages with long release histories and real maintainer teams, each carrying a narrow malicious version range while the rest of their history is clean:
@postman/postman-mcp-server — 41 published versions, but versions 2.4.10 through 2.4.12 were backdoored. Aikido, Wiz, and StepSecurity tie it to the Shai-Hulud 2.0 wave.
@zapier/mcp-integration — versions 3.0.1–3.0.3, same campaign.
@browserbasehq/mcp and @browserbasehq/mcp-server-browserbase — eight-maintainer packages, single poisoned releases.
@antv/mcp-server-chart — 44 versions, eighteen maintainers; versions 0.10.10 and 0.11.10 were hit. Socket and SafeDep attribute it to TeamPCP's Mini Shai-Hulud "314 packages" sweep.
@redhat-cloud-services/hcc-feo-mcp, hcc-kessel-mcp, hcc-pf-mcp — the Red Hat namespace Wiz disclosed on June 1 as Miasma.
mcp-use, @mcp-use/cli, @mcp-use/inspector — the popular open-source MCP framework; versions 1.4.2–1.4.3 of the core package were poisoned.
Read what that means. The attacker did not need you to fat-finger a package name. They stole a maintainer's npm publish token and shipped a malicious version of the package you already trust and already installed on purpose. The next npm update is the delivery mechanism. That is the entire thesis of the Shai-Hulud / Mini Shai-Hulud / Miasma worm family, and the MCP shelf is now squarely in its blast radius.
Why the headline number was the small half
The reporting this week settled on "23 malicious PyPI packages targeting MCP developers." Our PyPI count came out at 24 — so that number is right, and it's mostly already been taken down: 22 of the 24 are gone from PyPI entirely. But PyPI was the cleaner, smaller ecosystem here. The npm side is four times larger and split between disposable fakes and — the dangerous part — confirmed compromises of real tooling.
What to actually do about it
This is the useful difference between a scary count and a defensible one: the threat isn't "avoid packages named like MCP servers." The threat is specific versions of real packages. So:
Pin versions and use a lockfile. The poisoned releases are narrow ranges; the rest of each package's history is clean, and the latest versions have been remediated.
Treat any MCP server your agent loads as code that runs with your agent's permissions — because it is.
Cross-check installed versions against the flagged ranges above. If you pulled @postman/postman-mcp-server 2.4.10–2.4.12, @zapier/mcp-integration 3.0.x, or the AntV chart server 0.10.10/0.11.10 during the compromise windows, rotate your tokens and assume harvest.
The honest accounting
We deleted our own first draft of this post today because the first cut counted the pile instead of reading it, and "98 npm packages nobody's counting" was wrong on two fronts: most are reported, and the count conflated throwaway fakes with the real story. The corrected picture is 122 MCP-named malicious entries, of which about 113 are substantive once you drop the test noise, and the part that should keep you up isn't the fakes — it's that the worm reached into Postman, Zapier, Red Hat, and AntV and poisoned the real thing.
We turned on a feed. The data told us where to look. The exhaustive read is what told us what it meant.
Credit where due: the attribution work belongs to Aikido, Wiz, StepSecurity, Socket, and SafeDep, whose research populates OSV's catalog. We correlate it against the MCP surface — the door we watch.
The threat feed this post is built on
1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.