We Turned On a PyPI Feed This Morning. It Found 24 Malicious MCP Packages — One Named 'runcommand-server'.

This morning we wired up a new threat feed — OSV's catalog of known-malicious PyPI packages, about 11,400 of them, pulled into our index. Routine plumbing. Then we pulled the string to see what the new data connected to, and it walked straight into the one surface we know better than almost anyone: Model Context Protocol servers — the tools AI agents call.

The new feed contains 24 malicious PyPI packages targeting the MCP/agent ecosystem. Not generic malware that happens to be on PyPI. Packages named to be mistaken for the libraries AI developers install on purpose.

The roster

Here's a sample of what's sitting in the malicious-PyPI catalog, all impersonating MCP and agent tooling: mcp-runcommand-server and mcp-runcommand-server2, mcp-runcmd-server, mcp-transport-proto, mcp-pdftool-plus, openai-mcp, langchain-core-mcp, groq-mcp, ray-mcp-server, tiktoken-mcp, instructor-mcp, story-mcp-hub, docontrol-mcp, vulndify-mcp-server, and — the one that should make you sit up — latinum-wallet-mcp.

Read those names the way a hurried developer does. They look exactly like real packages. openai-mcp, langchain-core-mcp, tiktoken-mcp — you'd pip-install any of them at 4pm without blinking. And the most honest tell is in the names that describe their own function: mcp-runcommand-server. An MCP server is a thing an AI agent connects to and trusts to execute tools. A malicious one literally named "run command server" is the attack stated out loud — give the agent a tool, the tool runs the attacker's commands, on your machine, with your agent's permissions.

Widen the lens past pure MCP and the cluster is bigger: roughly 35 malicious packages typosquatting the AI tooling stack — 13 impersonating OpenAI (openai-async-helpers, openai-spellchecker), Anthropic typosquats (anthropy, strands-agents-anthropic, anthropickit), HuggingFace (huggingface-hubs, huggingfaces-hub), LangChain. The entire AI supply chain is being squatted, and latinum-wallet-mcp shows where it's heading — an MCP package aimed at crypto wallets, fusing the agent-tooling vector with the wallet-drainer vector.

Why this is the surface we were built to watch

We crawl the legitimate MCP namespace at scale — over 1.14 million MCP servers mapped, with security findings on them, and a judge (dredd) that evaluates an MCP server's dependency graph before an agent is allowed to invoke it. We checked: do these 24 malicious packages appear in our crawl of real servers? Honestly — no, not by name, and we're not going to pretend otherwise. They aren't registry entries; they're impersonators that live on PyPI and prey on people reaching for the real thing.

And that's exactly why having both datasets matters. Our crawl is the map of the legitimate territory. The malicious-PyPI feed is the map of the forgeries of that territory. A defender who holds only one is half-blind: know the real xraylib-mcp-server but not the malicious ray-mcp-server squatting next to it, and you can't tell your developers which one's safe. Hold both and you can say, per package, "this is the real one, that's the trap." The two feeds don't overlap — they complete each other.

What it means for anyone building with agents

The AI-agent supply chain has the same disease the npm and PyPI ecosystems already have, and it arrived faster. The barrier between "I want an MCP tool for X" and "I installed an attacker's command runner" is one typo and one trusting pip install. Agents make it worse, because an agent installing or invoking a tool doesn't pause to wonder whether mcp-runcommand-server is the package it meant — it just uses it, with whatever access it has.

The defenses are the boring, durable ones: pin your dependencies, verify the exact package name and publisher before install, and treat any MCP server your agent connects to as untrusted code until its provenance and dependency graph check out. The fancy version of that last step is what dredd does; the cheap version is reading the package name twice.

We're capping confidence at 95 percent, as always: this is a point-in-time snapshot of one feed, the malicious set grows daily, and "24 MCP packages" is what we can see today, not a complete census. But the direction is not in doubt. The supply-chain attackers found the AI tooling aisle, and they're stocking the shelves with forgeries. We turned on one feed this morning and it had two dozen of them sorted onto the exact surface we map. Credit to OSV for cataloging the malicious packages; we brought the MCP map to lay them against.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register