What Is MCP Connector Poisoning?

Why Agentic Execution Amplifies the Risk

The Attack Chain: From Compromised Package to Compromised Agent Host

Detecting MCP Connector Poisoning Before It Ships

Layer 1: SCA Scanning on Every Dependency Install

Layer 2: MCP Server Manifest Auditing

Layer 3: CLAUDE.md and Agent Configuration Auditing

The Local-First Advantage in Supply Chain Defense

What to Do Right Now

The Broader Pattern: Agentic Workflows Demand Local Gates On March 31, 2026, the axios npm package, one of the most-downloaded JavaScript libraries in existence with over 100 million weekly installs, was compromised via a hijacked maintainer account. Two malicious versions injected a hidden dependency that silently deployed a cross-platform Remote Access Trojan on macOS, Windows, and Linux. After execution, the malware erased itself from node_modules, leaving no visible trace. The timing was brutal. Developers worldwide running npm install or npm update on projects with a caret dependency on axios (the default) pulled the compromised version without any indication that anything was wrong. But the story gets worse when you factor in the new reality of AI-assisted development: coding agents do not wait for human approval before running npm install. ⚠️ The new threat model: AI coding agents like Claude Code, Cursor, and GitHub Copilot Workspace autonomously execute npm install, pip install, and npm update as part of their normal workflows. A compromised package that executes on install now has a vector to run on any machine where an agent operates, with no human ever seeing a prompt. Before we dig into the axios incident, it helps to understand a related but distinct threat that has been growing in parallel: MCP connector poisoning. The Model Context Protocol (MCP) is the open standard that allows AI agents to connect to external tools and services. When you install an MCP server, you are effectively granting an AI agent a new capability, whether that is reading a filesystem, querying a database, or sending emails. The ecosystem has exploded in 2026, with thousands of open-source MCP connectors published to npm, PyPI, and GitHub. Tool poisoning attacks exploit the way MCP registers tool metadata. Each tool has a name and a description that the AI agent reads to understand what the tool does. That description is visible to the model but not displayed to users. An attacker can embed hidden instructions directly in this description: In September 2025, researchers documented the first confirmed real-world MCP supply chain compromise: a backdoored npm package called postmark-mcp modified its send_email function to BCC every outgoing email to an attacker-controlled domain. Traditional supply chain attacks target humans: a developer runs npm install, the malicious postinstall hook fires, and an alert analyst notices unusual process activity. Human friction creates detection opportunities. Agentic development removes that friction. When Claude Code or Cursor installs a dependency on behalf of a developer, the interaction happens inside a tool call. The developer sees a summary in the chat interface, not a terminal. Process monitoring alerts fire in a window that is not in focus. The postinstall hook executes and self-deletes before the agent's next turn even begins. The axios attack window was 179 minutes. In that window, any CI/CD pipeline running npm install, any developer workspace with auto-update enabled, and any AI agent performing autonomous dependency management was exposed. The self-deleting payload meant npm audit returned clean before the packages were yanked. The axios attack succeeded partly because most teams run SCA checks on known CVEs, not on behavioral changes between package versions. A meaningful local SCA check in 2026 goes beyond vulnerability databases. When LucidShark's SCA scanner evaluates a dependency, it checks: Does this version have a valid SLSA provenance attestation? Does the package manifest include postinstall scripts not present in the previous version? Does the dependency graph include new transitive dependencies? Are there new network permission requests? For the axios attack, a behavioral SCA check would have flagged: postinstall hook not present in axios 1.8.3 now present in axios 1.14.1, new transitive dependency plain-crypto-js not in lockfile, no SLSA provenance attestation on the new version. When evaluating MCP server packages, the same SCA principles apply with additional checks: CLAUDE.md files in a repository root act as persistent instructions for Claude Code. An attacker who can commit to a repository can embed instructions that modify agent behavior across all sessions. Static analysis of CLAUDE.md files can flag HTML comments (which models read but developers ignore), zero-width Unicode characters used for invisible text injection, unusual role or persona instructions, and instructions to access external URLs or read files outside the project directory. Cloud-based SCA services introduce a latency problem for agentic workflows. If your SCA check runs as a CI gate, the check fires after the agent has already made the npm install decision, after the code has been committed, and after the postinstall hook has potentially executed. Local-first SCA runs at the moment of change: when the lockfile updates, before the install completes, before the agent moves to the next step. This is the only timing that can actually prevent execution. There is also a privacy dimension. Sending your package manifest to a cloud SCA service reveals your entire technology stack to a third party. For competitive or compliance reasons, many teams cannot or should not do this. Local analysis keeps your dependency graph on your machine. The axios attack, the MCP tool poisoning threat, and the CLAUDE.md injection vector all share a common structure: they exploit trust that humans would have questioned but agents extend automatically. The response is not to distrust AI agents but to build local gates that verify trust at each extension point. Pre-install provenance checks, behavioral diff analysis on lockfile changes, and static auditing of agent configuration files are all checks that run in milliseconds and can be part of every agent workflow. Install LucidShark: npm install -g lucidshark. Documentation at https://lucidshark.com. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse