MCP Security Research

Research

By Michael K Onyekwere

Analysis on MCP security and the AI agent ecosystem. The canonical record lives on this site. Selective Dev.to cross-posts exist for pieces that benefit from wider distribution.

On this site

4 May 2026On site

What repeated MCP package drift looks like in the wild

Three material reshapes across @planu/cli, plus a nine-hour publish burst in agent-planner-mcp, show why change history matters more than a single package score.

4 May 2026On site

When an MCP package outlives its repository

The GitHub repo for Shortcut's MCP server is archived, while @shortcut/mcp remains installable on npm. Why abandonment is a real supply-chain signal for MCP consumers.

24 March 2026On site

How to Secure Your MCP Server in 5 Minutes, Step-by-Step Tutorial

A practical tutorial for adding security to any MCP HTTP server. Install mcp-trust-guard, enable the KYA abuse database, set up tool-level permissions, and scan your dependencies, all in under 5 minutes.

20 March 2026On site

When AI Agents Go Rogue: The Trust Crisis Nobody Is Ready For

OWASP published its first Top 10 for Agentic AI. The Agents of Chaos study found 11 security failures in autonomous agents. 48% of cybersecurity pros say agentic AI is the #1 attack vector. Here is everything going wrong, and what trust infrastructure needs to look like.

13 March 2026On site

State of the Agent Economy: Q1 2026

The agent economy hit $10.9 billion in 2026. Meta bought Moltbook, Google launched A2A, and 143,000 agents are now indexed across six registries. Here is everything happening, and what is still missing.

10 March 2026On site

Meta Just Bought Moltbook. 2.8M AI Agents, Still No Trust Layer.

Meta acquired Moltbook today, the social network for 2.8 million AI agents. The deal validates the agent economy but exposes a critical gap: there is still no independent way to verify if an agent is trustworthy before you pay it.

9 March 2026On site

The Agent Trust Gap: $120M Weekly Transactions, Zero Verification

Alipay processes 120 million AI agent transactions per week. NIST launches agent standards. Mastercard and Visa enter agent payments. But nobody is verifying who these agents are. The trust gap is the biggest risk in the agent economy.

8 March 2026On site

State of the Agent Economy, March 2026

2.8 million agents on Moltbook, 21,000 on-chain identities via ERC-8004, and the first agent ecosystem with risk assessments. Here is where the agent economy stands in March 2026.

Selected on Dev.to

1 May 2026Dev.to

Four MCP packages, four ways the supply chain shifted in two weeks of npm monitoring

Four worked examples from the watch feed: a four-capability major version bump, four versions in nine hours, a backlog dump that opened a HIGH finding, and a maintainer-driven scanner improvement loop.

25 April 2026Dev.to

Continuous monitoring caught a credential leak in a published MCP package. Six republishes later, it is still there.

A real disclosure timeline from continuous monitoring of nearly a thousand MCP packages. What it looks like when private disclosure stalls and how the public CVE pipeline takes over.