The Boring Attack That Will Actually Get You - Craig Jellick, Obot AI

by Craig Jellick

Day 1 · Empire Complex (7th Floor) · Security and Operations · 28 min · 4 min read

AI Safety & Ethics Applied AI

TL;DR

Craig Jellick presented three real supply chain attacks on MCP servers: Postmark MCP name squatting, Light LLM via Trivy compromise, and Axios dependency poisoning. He recommended pinning dependencies, disabling npm post-install hooks, and using an MCP gateway like Obot for centralized security controls.

Supply Chain Attacks Outrank Novel Exploits

▶ Watch (1:01)

Tool poisoning, rug pulls, prompt injection get attention because they are new. Craig Jellick argued the real danger is supply chain attacks. The Postmark MCP, Light LLM, and Axios incidents all used simple dependency poisoning or name squatting. No fancy prompt injection needed. Jellick wanted the audience to feel nervous the next time they run npx or uvx to install an MCP server locally.

Postmark MCP: Name Squatting That Worked

▶ Watch (1:35)

Postmark, a legitimate email SaaS, had an MCP server on GitHub but never registered the name on NPM. An attacker squatted on that name. For the first 15 versions, the malicious package mirrored the real code to build trust. Then one day a single line was added: BCC’ing every sent email. All emails were exfiltrated. Security firm Coy detected it quickly, but the attack required no tool poisoning or prompt injection.

Light LLM: A Chain of Compromises

▶ Watch (3:32)

In March 2025, Light LLM was compromised because it used Trivy, a popular security scanner. An attacker exploited a GitHub Actions weakness (pull_request_target) in Trivy, stole a token, caused chaos, then returned 20 days later to replace Trivy’s action. Light LLM ran that action, which exfiltrated its CI secrets. The attacker published a malicious Light LLM version that forked processes, stole credentials, and installed a cron job for lateral movement. The fork bomb bug limited the blast radius.

Axios: 100 Million Downloads, 3 Hours of Exposure

▶ Watch (8:40)

The Axios maintainer’s account was compromised. The attacker changed the email and published two bad versions. The malicious code was double-obfuscated and self-erasing. After first run, the dependency looked clean. The bad versions were only up for three and a half hours, but with 100 million weekly downloads, the impact was massive. Jellick noted that TypeScript is popular for MCP servers, so Axios’s compromise likely affected many MCP servers.

Developer Mitigations You Can Apply Today

▶ Watch (12:31)

Jellick gave four immediate actions. First, stop installing MCP servers locally without review; pin versions. Second, carefully check package names and provenance to avoid name squatting. Third, enable age-based cooldowns for dependencies — a 7-day minimum would have caught the Axios attack. Fourth, disable npm post-install hooks, the common trigger for malicious code. Also audit GitHub Actions for pull_request_target usage.

Organizational Defenses: Gateways and Remote Execution

▶ Watch (15:56)

For teams, Jellick recommended using an MCP gateway like Obot. It provides an inventory of all MCP servers, enforces isolation, audit logs, and tool-level access control. Built on Kubernetes, it gives access to cloud-native security tools: network policies, runtime classes (gVisor), resource limits, and egress control. Centralizing MCP servers allows rapid incident response — shut off all servers with one click. Jellick also predicted that coding agents will move off laptops into remote, isolated environments.

Q&A

How can developers check transitive dependencies of MCP servers? Use tools that list all installed dependencies, and look for unexpected packages. ▶ Watch (25:27)

Does building from source (e.g., Go modules from GitHub) improve security? Yes, building from source aligns with the SLSA framework for secure software supply chains. ▶ Watch (27:02)

Notable Quotes

just simple name squatting is enough to get you into trouble Craig Jellick · ▶ Watch (3:06)

the attacker scanned for a known weakness in GitHub actions, used that to exfiltrate an access token in Trivy, caused some of chaos, which was a smoke screen, so they could come back later and replace the GitHub Trivy action Craig Jellick · ▶ Watch (8:00)

it’s how sophisticated these attacks are getting Craig Jellick · ▶ Watch (9:55)

stop installing MCP servers locally or at least revisit the ones you have installed and ask yourself, do these need to be installed the way they are? Craig Jellick · ▶ Watch (12:31)

why are the agents running on our laptops anymore Craig Jellick · ▶ Watch (21:18)

Key Takeaways

Supply chain attacks on MCP servers are simpler and more dangerous than novel exploits.
Name squatting, dependency poisoning, and compromised maintainer accounts are the primary vectors.
Centralizing MCP servers via a gateway enables isolation, audit, and rapid incident response.

About the Speaker(s)

Craig Jellick is VP of Engineering and co-founder of Obot AI, where they are building an agent platform that helps teams of all technical levels create software, automate work, and ship real tools using AI. Previously, he was a founding engineer and Director of Engineering at Rancher.

Filed under

AI Safety & Ethics Applied AI