top of page
Search

Jeevesus Saves, Dredd Judges. MCP Security at Long Last.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 4 hours ago
  • 7 min read


A note on Jeeves


In 1996 a search engine called Ask Jeeves let you type a question in plain English and got you a useful answer. It was the natural-language search engine before the term existed. Then Google won the keyword war, Ask Jeeves got bought and rebranded to nothing, and the idea of natural-language search went into hibernation for two decades until Anthropic and OpenAI pulled it back out of the freezer.


We named our threat-intelligence MCP Jeevesus as a sly tip of the hat. Same idea — type a question in plain English, get a useful answer — except the corpus is 17.9 million documents about cyber threats, 1.13 million indicators of compromise, and the answer might come back with a Bates stamp on it. Ask Jeeves with a savior complex. That is the joke.


The savior part has a job to do, though.



Jeevesus saves you from things you did not know were happening


Jeevesus is what we registered on the official Model Context Protocol Registry on April 27. It is a public, free, read-only threat-intelligence MCP server. You install it once, and from inside Claude Desktop or Cursor you can ask:


  • "Has 185.39.19.176 been seen in any threat feed?"

  • "What did Volexity publish this week and what IOCs did they release?"

  • "Cross-correlate this domain against CISA KEV and OTX pulses."

  • "Find me every document in the Epstein release that mentions Aviloop."

Plain English in, structured threat data out. The full corpus search runs on the natural-language endpoint at analytics.dugganusa.com/api/v1/search/nl, the Jeeves heritage written into the URL. That is the saves layer. Jeevesus saves you from being uninformed about what is hitting your perimeter, what is converging on your industry, and what showed up in a bank-statement OCR last week.


It does not save you from running a compromised tool.


That is a different layer. That is the layer that did not exist.



The eight days that should have been a wake-up call


Between April 22 and April 30 of this year, three separate machine-learning Python packages on PyPI were compromised. xinference, three releases on April 22, credential-stealing payload that harvests SSH keys, AWS Azure GCP credentials, environment variables, and crypto wallets. Disclosed by GitGuardian. lightning versions 2.6.2 and 2.6.3 on April 30, published from PyTorch Lightning's own maintainer namespace, JavaScript exfiltration payload. Disclosed by Socket. intercom-client co-disclosed in the same April 30 cluster as lightning, same payload pattern.


Three hits. Eight days. The defenders for PyPI, npm, Cargo, and Go modules already exist. Socket, Snyk, GitGuardian, Aikido, ReversingLabs. They watch the registries and publish IOCs as fast as they can.


Here is the question that did not have an answer two weeks ago. When one of those compromised packages becomes a transitive dependency of a Model Context Protocol server you installed last week — a server that is being invoked in your agent's tool loop right now, with the same shell privileges you have, with no further review — who tells you?


The answer through April 30, 2026, was nobody. The answer is now Dredd.



We checked our own ecosystem before we built the alarm


Before we shipped Dredd we ran a methodology check. Pulled every package-shaped compromise IOC from our corpus — every Socket disclosure, every Aikido write-up, every GitGuardian advisory, every ReversingLabs PromptMink and StepSecurity Shai-Hulud entry. Cross-checked against fifty thousand registered MCP servers in the registry corpus.


The official registry came back clean. Zero registered MCPs pin a known-compromised package version today.


Then we widened the lens. The IOC corpus also contains URLhaus-flagged GitHub repositories — places where malware-as-a-zip-download lives. Twenty-plus repositories in URLhaus right now use the string "mcp" in their name. Every one of them is serving SmartLoader payloads. None are on the official registry. They are typosquats, lookalikes, repositories that exist to be found by someone Googling "mcp install" and following a tutorial blog from 2024 that points at the wrong URL. The MCP ecosystem has already been targeted. It has not yet been compromised at the registry level. We just shipped the alarm that fires the moment that changes.


One specific receipt worth naming. The npm package @iflow-mcp/watercrawl-watercrawl-mcp versions 1.3.0 through 1.3.4 are flagged by Aikido Research as carrying GlassWorm. That is an MCP-named package that already got compromised. The lookup is one curl command away from anyone using Jeevesus.



Dredd is the judge, jury, and executioner of the invocation


The Model Context Protocol is the glue. It is what lets Claude or Cursor or your custom agent reach out to a tool — your filesystem, your database, your search engine, your Bluesky account, your AWS credentials — and get work done. The protocol works. The trust model is the gap. There is no review step between the LLM deciding to call a tool and the tool actually running. Once you have installed an MCP server, every invocation of every tool is on the honor system.


Honor systems work fine until they do not.


We are shipping Dredd MCP. Dredd is a pre-invocation security check that sits in the path between your agent and the MCP server, and renders a verdict before the call goes through. The verdict shape borrows from our internal Judge Dredd 6D framework — Detection, Disruption, Documentation, Determination, Decision, Disposition. Six fields, every one of them auditable, every verdict cites the IOC or behavioral signal that drove the decision.


What Dredd checks, on every invocation:


  1. Compromised dependency. The target server's package manifest is parsed and joined against our continuously updated IOC corpus. If the server depends on lightning version 2.6.2 or any other known-compromised pinned version, the call is blocked.

  2. Tool surface drift. The list of tools the server exposes today is compared against the snapshot the user originally approved. New tools that appeared since the last review trigger an advisory. Rugpull-mid-session is the threat model.

  3. Remote URL drift. The server's runtime endpoint is checked against the URL it published in the registry. A server quietly calling out to a different host than the one you signed up for is a hijack signature.

  4. Permission escalation. A server requesting write or exec permissions it did not have in last week's snapshot triggers a human-confirmation requirement.

The pre-flight runs in under 200 milliseconds at the Cloudflare edge. The verdict is HMAC-signed so a man-in-the-middle cannot forge a clean response. The hook fails open by default — if our endpoint is ever down, Dredd does not brick your tooling — and the all-clear / advisory / block decision is logged locally so you have an audit trail.


The scan cadence today is twelve hours, 08:30 UTC and 20:30 UTC. When a real compromise lands in the registered-MCP corpus, cadence tightens.



How the two characters cooperate


Jeevesus is the corpus. Jeevesus knows what 1.13 million IOCs look like, what every recently-compromised PyPI package is, what Volexity and Mandiant and Unit 42 and Talos published this morning. Jeevesus is searchable.


Dredd is the verdict engine. Dredd asks Jeevesus "is this server clean?" and translates the answer into a runtime decision. Dredd is a thin layer over the same data, but exposed at the moment when knowing the data actually changes outcomes — before the malicious tool gets called.


Two MCP servers on the same official registry. Same backing brain. The split is intentional. Search is the what. Dredd is the whether.



What you do tomorrow morning


Visit the public watchtower at analytics.dugganusa.com. The globe rotates, the verdict badge pulses, the recent-findings ticker scrolls. Stats are live from /api/v1/dredd/watchtower.json. Read the page. Bookmark it. That is the Jeevesus saves layer for MCP. The check is running either way.


Add Dredd to your Claude Desktop or Cursor MCP config — the URL is analytics.dugganusa.com/api/v1/dredd/mcp — and the check_mcp_server tool becomes available inside your agent. Hand it any MCP server name and it returns a signed verdict in 200 milliseconds.


Or — for the paranoid — install the Claude Code PreToolUse hook. One bash line: curl -fsSL https://analytics.dugganusa.com/install/dredd-mcp.sh | bash. From then on, every MCP tool invocation gets pre-flighted automatically. If a verdict is BLOCK, the call refuses to fire.



The 13-plugin family this joins


DugganUSA has been quietly publishing security plugins for the platforms developers and defenders actually live in. VS Code. Splunk. Slack. Raycast. Obsidian. Neovim. Elastic. Cloudflare Workers. Chrome. GitHub Actions. The CLI. Microsoft Sentinel. Plus the core scanner under all of them. Thirteen plugins, all open source, all backed by the same threat corpus, all linked from the GitHub profile if you want to see the family up close.


Dredd MCP joins them as the fourteenth — and the first MCP-native member. As of tonight, every one of those repos has a footer linking to all the others. The next time your shell, your IDE, your editor, your SIEM, your browser, your CI/CD pipeline, and now your agent's tool loop all want to know whether something is safe to run, the answer comes from the same brain.



The honest 5%


We cap our claims at 95 percent and we mean it. Dredd will not catch every compromise. It will not see every malicious tool — about 60 to 70 percent of MCP servers in the registry today do not expose a public source repository, which means Dredd cannot inspect their dependency tree. We will be honest about that coverage gap on the watchtower page from launch day. The advisory tier exists for unverifiable servers. Use them at your own discretion. Or do not.


Dredd will produce false positives. We will document our override mechanism, we will log every override locally, and we will use the rate of overrides as one of our quality metrics. The day a true positive lands and an override turned out to be the right call, we will update the rule.


Dredd is not a compliance certification. It is a runtime defense. It is the layer that did not exist as of April 30, 2026, and the eight-day window that opened it.



Receipts


Three compromised PyPI ML packages in eight days. Twenty-plus MCP-named GitHub repos in URLhaus serving SmartLoader payloads right now. One MCP-named npm package — @iflow-mcp/watercrawl-watercrawl-mcp — already on the GlassWorm compromise list. One MCP ecosystem with no defender as of April 30, 2026. One register listing on the official MCP Registry shipped two weeks later. One thirteen-plugin family already in production. One 17.9-million-document corpus. One sub-200-millisecond HMAC-signed verdict endpoint. One twelve-hour scan cadence. One public watchtower at analytics.dugganusa.com. One bash hook served at /install/dredd-mcp.sh. One MIT-licensed public repository at github.com/pduggusa/dredd-mcp. One Minneapolis basement on $75 a month.


Two characters.


Jeevesus saves. Dredd judges. MCP security, at long last.


The receipts do the work.




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page