```html ``` We Shipped a Free MCP Tool That Makes Your AI Agent Refuse Malicious Packages. One Call, No Key. Here's How to Wire It In.
top of page

We Shipped a Free MCP Tool That Makes Your AI Agent Refuse Malicious Packages. One Call, No Key. Here's How to Wire It In.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 34 minutes ago
  • 3 min read

Earlier today we published a field map of 2026's novel attack chains, and the argument underneath it was that the AI agent has become the pivot point of the modern attack: a privileged process, sitting on your secrets, that acts on instructions it reads from its environment. One of the cleanest ways to weaponize that is the supply chain — get the agent to install a poisoned dependency, and you are inside. HalluSquatting does it by exploiting the fact that models invent package names. Hijacked-maintainer cascades do it by poisoning packages you already trust.


So we built the smallest possible defense for it, put it in production this afternoon, and we are giving it away. It is called check-package, and it does one thing: it lets your AI agent ask us whether a dependency is malicious before it installs it.



What it is


check-package is a tool on our public Model Context Protocol server. An AI coding agent — the kind that reads your repo, reasons, and runs npm install or pip install on its own initiative — calls it with an ecosystem and a package name, and gets back a crisp, machine-actionable verdict: block, allow, or review. Behind that verdict is our OSV-curated malicious-package deny-list: 215,000-plus named packages across npm and PyPI — real, specifically-named bad packages, not heuristics that cry wolf.


Ask it about a known-malicious npm package and it returns malicious true, verdict block, with the OSV advisory ID and the plain instruction: do not install. Ask it about an ordinary package like PyPI's requests and it returns malicious false, verdict allow — with the honest caveat that absence from a deny-list is not proof of safety, so pin and review your new dependencies regardless. It is version-aware when the advisory is version-scoped, and it blocks on any version when the whole package is poisoned.


We verified it live before writing this: known-bad blocks, known-good allows. It is running right now.



How to wire it in (this is the whole point)


We wanted this to be the easiest AI-supply-chain protection anyone can adopt, so there is no signup, no key, and no lock-in for the guardrail. The MCP endpoint is the base of our API at analytics.dugganusa.com, path /api/v1/mcp.


If you run agents in Microsoft Foundry, add it as a remote MCP server from the Add Tools catalog, then tell your agent: before installing any dependency, call check-package, and if the verdict is block, refuse and report. If you use Claude Code, Cursor, Amazon Bedrock AgentCore, LangGraph, or any other MCP client, register the same endpoint and give the same instruction. That is the entire integration — one URL and one line of guidance, and your agent now vets every dependency against a quarter-million known-bad packages before it touches your machine.


If you would rather stop the poison at the build instead of the agent, the same deny-list is a plain CI feed at /api/v1/stix-feed/packages.json — fail your build on a name-and-version match and nothing reaches the agent in the first place. And if you want to watch what your agents are actually doing, our full integration guide walks through pairing this with your AI platform's OpenTelemetry traces in a SIEM, so the exfiltration and remote-code-execution chains from this morning's map become detection rules you can alert on.



Why free, and why now


Held to about ninety-five percent: the guardrail catches what is on the deny-list, and the deny-list, while large and curated, is not the entire universe of bad packages — so this is a strong layer, not a force field. The underlying package intelligence is OSV's, curated by us; credit where it belongs.


As for why we are giving the runtime guardrail away with no key: because the whole problem with AI-agent security right now is friction. Every team is suddenly running agents that install things autonomously, and almost none of them have a guardrail in front of it, because the guardrails that exist are painful to adopt. A protection nobody integrates protects nobody. So we made the integration a single URL and removed every reason not to try it. The deeper tiers — higher rate limits, private feeds, a managed detection pack for your SIEM — are where we make our money. The thing that stops your agent from installing malware should be free, and starting this afternoon, it is.


The attackers already understand that your AI agent is the way in. The first step of the defense is a guardrail your agent calls before it acts. Now there is one, it costs nothing, and it is one line of config away.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page