MCP 服务器被大规模分叉并重新发布——供应链攻击载体

I&#x27;m the developer of an MCP server (AiDex — code indexing with Tree-sitter, github.com&#x2F;CSCSoftware&#x2F;AiDex). I recently discovered that an organization called iflow-mcp is systematically forking hundreds of MCP servers on GitHub, republishing them under their own npm scope (@iflow-mcp&#x2F;) and on PyPI, and distributing them through their own &quot;marketplace&quot; — without ever contacting the original authors.<p>But the real problem isn&#x27;t the fork itself. The real problem is security.<p>---<p>*What&#x27;s happening*<p>The forks are published under the pattern @iflow-mcp&#x2F;originalauthor-projectname. The familiar name of the original creates trust — but the code the user actually gets is entirely under a third party&#x27;s control. Nothing prevents that third party from modifying the code before publishing.<p>*Why MCP servers are particularly dangerous*<p>An MCP server is not a harmless plugin. By design, it has deep access:<p>- It reads your source code, navigates your filesystem, receives file contents - It can see .env files, API keys, SSH keys, credentials, and proprietary code - It communicates via stdio directly with the AI client — meaning it can manipulate tool responses - It often runs with the same permissions as the user<p>A trojanized MCP server could silently exfiltrate sensitive data while doing exactly what it&#x27;s supposed to do — indexing or analyzing your code. You see the tool working normally. You don&#x27;t see the data leaving.<p>Even worse: a manipulated server could feed the AI assistant deliberately false information — suggesting insecure code patterns, hiding vulnerabilities, or redirecting the AI to the wrong files.<p>*The broken chain of trust*<p>The problem is systemic:<p>1. Developer A publishes an MCP server as open source 2. Organization X forks it, republishes it under their own scope 3. A user finds the package in X&#x27;s marketplace, recognizes the familiar name, installs it 4. The user believes they&#x27;re running the original — but they&#x27;re running code that X could have modified in any way<p>This is a classic supply-chain attack. And it works particularly well because MCP servers are new, and many users haven&#x27;t yet learned to verify where their tools actually come from.<p>---<p>*What you can do as an MCP server developer*<p>1. *Origin check at startup:* Check your own package name (package.json, process.env.npm_package_name) and installation path (__dirname). If a foreign scope appears, display a clear warning:<p><pre><code> This appears to be an unofficial redistribution of [project]. Official package: npm install [original-package] Repository: [original-url] </code></pre> 2. *Build signature:* Embed a hash or signed identifier during your build process. A republisher who doesn&#x27;t replicate your exact build pipeline cannot reproduce it.<p>3. *Registry check:* A quick HTTP request at startup to the npm registry can reveal whether the package is running under a foreign scope.<p>*What you can do as a user*<p>- Always install MCP servers directly from the original project, never through third-party marketplaces - Check the npm scope: @iflow-mcp&#x2F;cscsoftware-aidex is NOT the same as aidex-mcp - Look at GitHub to verify whether a repository is a fork and who the actual author is - Be especially cautious with MCP servers that have deep filesystem access<p>---<p>*Please share this post.* The more MCP developers and users know about this attack vector, the harder it becomes to exploit. The MCP ecosystem is growing rapidly — but without awareness of supply-chain security, we&#x27;re building on sand.<p>If you&#x27;re affected: speak up. Check whether your project appears under github.com&#x2F;iflow-mcp&#x2F;. The more voices, the sooner npm and GitHub will act.<p>Original project: https:&#x2F;&#x2F;github.com&#x2F;CSCSoftware&#x2F;AiDex Their fork on npm: https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;@iflow-mcp&#x2F;cscsoftware-aidex<p>— Uwe Chalas, author of AiDex (aidex-mcp on npm)