150 million downloads.

150 million downloads. 200,000 public servers. 10+ CVEs.

Ox Security's "Mother of All AI Supply Chains" report sounds apocalyptic. The implied takeaway is that Anthropic published a broken standard. The actual danger is narrower, more specific, and worth knowing if you are shipping AI integrations right now.

𝗪𝗵𝗲𝗿𝗲 𝘁𝗵𝗲 𝗥𝗲𝗮𝗹 𝗗𝗮𝗻𝗴𝗲𝗿 𝗦𝗶𝘁𝘀

Three failure modes are doing most of the damage.

1. Agents rewriting their own MCP config. The Windsurf incident was a zero-click takeover. A prompt injection in a webpage tricked the AI into editing `mcp.json` with a malicious entry, and the next launch ran it. If the AI can edit the file that lists the commands it executes on startup, the AI is one bad webpage away from installing malware on itself.

2. Man-in-the-middle on hosted transports. The local transport has the code-execution risk. The hosted version moves the problem to the network: TLS misconfigurations, hijacked OAuth flows, intercepted tokens. A trusted vendor is not protective if the client is connecting to the wrong endpoint.

3. No sandbox, no permission manifest. Browser extensions declare what they need and the browser enforces it. iOS apps the same. Deno has `--allow-net` and `--allow-read`. MCP shipped with none of that. Every local server runs with full user privileges by default.

The fixes are not exotic. Container-sandboxed local servers. Manifest-based permissions like browser extensions. Least-privilege tokens with short expiry. File permissions on `mcp.json` so the AI cannot rewrite its own contact list.

None of this exists at the spec level yet.

𝗧𝗵𝗲 𝗟𝗲𝗮𝗱𝗲𝗿𝘀𝗵𝗶𝗽 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆

Don't blindly install MCP servers.

If you are shipping AI integrations right now, talk to your team to make sure they are implementing MCP servers properly and securely.