AI
Running npx Directly Invites Supply Chain Attacks
Osorio opened with a warning: running npx directly to start MCP servers is dangerous. He pointed to the first malicious MCP server, Postmark MCP, and CVE-2025-6514, an exploitable critical vulnerability. He noted that attacks are getting more aggressive. The ecosystem’s growth attracts attackers. He urged the audience to ask four questions: what is in the package, who built it, how was it built, and can you enforce policies.
OCI Images as a Standard Packaging Format
Osorio proposed OCI images as the packaging format for MCP servers. An OCI image is a glorified tarball with metadata, content-addressable via cryptographic hash. It supports multi-architecture. Registries like DockerHub, GitHub Container Registry, and Quay all use the OCI spec. The referrers API allows attaching extra artifacts like SBOMs and signatures. This format gives users a complete view of what runs, including operating system packages.
Demo: Build, Scan, Sign, Attest
Osorio live-demoed the process. He built a container from node:24-slim, then scanned it with Grype. The scan found 107 vulnerabilities, including won’t-fix high issues in dpkg and potentially exploitable libc. He generated an SBOM with Syft, which listed 3600 components. He pushed the image to a registry, signed it with Cosign using his Google identity, and attached SLSA provenance attestations. The signing used an ephemeral key tied to his identity, then deleted the private key.
Limitations and Defense in Depth
Osorio acknowledged that OCI images are not a silver bullet. Tool poisoning, where an MCP server’s description misleads an agent, cannot be prevented by a secure container. Tool shadowing and rockpools require trusted registries and cryptographic pinning. OCI allows pinning to a specific digest, not just a tag. He recommended combining OCI with scanners, Cosign, policy enforcement, and staying informed.
Q&A
What is the difference in security scanning between running an MCP server in a virtual environment versus a Docker container? A container packages everything, making scanning straightforward; a virtual environment misses OS-level dependencies and is more convoluted to scan. ▶ Watch (11:01)
What are the overheads of running an MCP server in a Docker container? Not much; the main issue is prepackaged images may be large, but statically compiled binaries like Go are lightweight. ▶ Watch (20:34)
Does Grype check for outdated dependencies? It checks for vulnerabilities, not outdatedness; if a package is old, critical vulnerabilities are likely unpatched. ▶ Watch (18:21)
Notable Quotes
If you’re running npx directly, you shouldn’t. Please stop. Juan A. Osorio · ▶ Watch (0:44)
We already had our first malicious MCP server Juan A. Osorio · ▶ Watch (1:43)
It’s not about the protocol, it’s just about evolution and usage Juan A. Osorio · ▶ Watch (1:59)
It’s not about fear, it’s about being aware and knowing where to stand and what to do Juan A. Osorio · ▶ Watch (2:46)
I didn’t come here to promise you that OCI is going to walk you raise your children, walk your dog Juan A. Osorio · ▶ Watch (28:37)
Key Takeaways
- Package MCP servers as OCI images to enable vulnerability scanning, signing, and policy enforcement.
- Use Cosign to sign images with existing identities (Google, GitHub) without managing GPG keys.
- OCI images are not a complete security solution; combine with trusted registries and runtime verification.
About the Speaker(s)
Juan A. Osorio, known as Ozz, is a Mexican software engineer living in Finland. His background spans security for OpenStack, Kubernetes, and bare metal environments. At Stacklok, he founded the ToolHive project and builds MCP infrastructure, including supply chain security tooling.