[Security] npm dependency chain for MCP is negligent - ship native binaries

Resolved 💬 3 comments Opened Dec 16, 2025 by nfguide Closed Feb 14, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

MCP plugins rely on npm/npx to fetch dependencies at runtime. npm has a documented history of supply chain
compromises (event-stream, ua-parser-js, node-ipc, colors.js, coa/rc).

Claude Code has full system access - filesystem read/write, shell execution, SSH, credentials. Running
unvetted npm packages with these privileges is a critical security risk.

A single compromised transitive dependency in any MCP plugin = full system compromise.

What Should Happen?

MCP plugins should be:

  1. Native binaries (Go/Rust) - no runtime dependencies
  2. Cryptographically signed
  3. Vendored dependencies - not fetched from npm at runtime
  4. Sandboxed - MCP servers shouldn't inherit Claude Code's full privileges

Error Messages/Logs

N/A - This is a security architecture issue, not a runtime error.

Steps to Reproduce

  1. Enable any npm-based MCP plugin (context7, playwright, sentry)
  2. Plugin fetches packages via npx
  3. Transitive dependencies are pulled from npm without verification
  4. Any compromised dependency now has full system access

This is not a bug to reproduce - it's the intended design, which is the problem.

Claude Model

Opus

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.0.70

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Other

Additional Information

Additional Information:
npm supply chain attacks are not theoretical:

| Incident | Year | Impact |
| event-stream | 2018 | Cryptocurrency theft |
| ua-parser-js | 2021 | Cryptominers, password stealers |
| node-ipc | 2022 | Intentional file destruction |
| colors.js | 2022 | Maintainer sabotage |
| coa/rc | 2021 | Credential theft |

npm's structural problems:

  • 1 package = hundreds of unaudited transitive dependencies
  • postinstall scripts run arbitrary code on install
  • No code signing
  • Typosquatting trivial
  • Abandoned packages get hijacked

Security-conscious users currently must disable all npm-based MCP plugins, losing functionality.

This needs to be fixed or clearly documented as an accepted risk.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗