[Security] npm dependency chain for MCP is negligent - ship native binaries
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
MCP plugins rely on npm/npx to fetch dependencies at runtime. npm has a documented history of supply chain
compromises (event-stream, ua-parser-js, node-ipc, colors.js, coa/rc).
Claude Code has full system access - filesystem read/write, shell execution, SSH, credentials. Running
unvetted npm packages with these privileges is a critical security risk.
A single compromised transitive dependency in any MCP plugin = full system compromise.
What Should Happen?
MCP plugins should be:
- Native binaries (Go/Rust) - no runtime dependencies
- Cryptographically signed
- Vendored dependencies - not fetched from npm at runtime
- Sandboxed - MCP servers shouldn't inherit Claude Code's full privileges
Error Messages/Logs
N/A - This is a security architecture issue, not a runtime error.
Steps to Reproduce
- Enable any npm-based MCP plugin (context7, playwright, sentry)
- Plugin fetches packages via npx
- Transitive dependencies are pulled from npm without verification
- Any compromised dependency now has full system access
This is not a bug to reproduce - it's the intended design, which is the problem.
Claude Model
Opus
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
2.0.70
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Other
Additional Information
Additional Information:
npm supply chain attacks are not theoretical:
| Incident | Year | Impact |
| event-stream | 2018 | Cryptocurrency theft |
| ua-parser-js | 2021 | Cryptominers, password stealers |
| node-ipc | 2022 | Intentional file destruction |
| colors.js | 2022 | Maintainer sabotage |
| coa/rc | 2021 | Credential theft |
npm's structural problems:
- 1 package = hundreds of unaudited transitive dependencies
- postinstall scripts run arbitrary code on install
- No code signing
- Typosquatting trivial
- Abandoned packages get hijacked
Security-conscious users currently must disable all npm-based MCP plugins, losing functionality.
This needs to be fixed or clearly documented as an accepted risk.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗