Mass Supply-Chain Attack Discovered: iflow-mcp Systematically Republishing MCP Servers Without Authorization
Key Takeaways
- ▸An organization called iflow-mcp has mass-forked hundreds of MCP servers and republished them under their own npm scope without original author consent, creating a significant supply-chain attack vector
- ▸MCP servers are high-risk targets because they have deep filesystem access, can read credentials and source code, and communicate directly with AI assistants, making them ideal for silent data exfiltration or manipulation
- ▸The attack exploits user trust through name confusion and third-party marketplaces; developers should implement origin verification checks and users should install directly from original repositories
Summary
A critical supply-chain security vulnerability has been exposed in the Model Context Protocol (MCP) ecosystem, where an organization called iflow-mcp has systematically forked hundreds of open-source MCP servers and republished them under their own npm scope and PyPI without contacting original authors. The attack exploits user trust through name confusion — republished packages use the original project name in their identifier (e.g., @iflow-mcp/cscsoftware-aidex instead of aidex-mcp) while potentially containing malicious modifications. MCP servers are particularly dangerous targets because they have deep system access, including the ability to read source code, environment files, API keys, SSH credentials, and communicate directly with AI assistants, making them ideal vectors for silent data exfiltration or injection of false information.
The vulnerability represents a classic supply-chain attack pattern where users installing packages from third-party marketplaces believe they are using the original software while actually running code under a third party's control. The attack is especially effective because MCP is a relatively new technology and many developers and users have not yet learned to verify package origins. Security researchers and developers are urging the community to implement origin verification checks at startup, use build signatures, and conduct registry verification, while advising users to install MCP servers directly from original repositories and verify npm scopes before installation.
- This represents a systemic risk to the rapidly growing MCP ecosystem, with potential for both data theft and AI assistant manipulation through deliberately false information injection
Editorial Opinion
This discovery exposes a critical gap in the MCP ecosystem's security infrastructure at precisely the moment when MCP adoption is accelerating. While the attack itself is relatively simple — name spoofing combined with repackaging — its potential impact is severe given MCP's deep system privileges and access to sensitive credentials. The community response must move beyond individual developer mitigations to include platform-level protections from npm and GitHub, such as publisher verification badges and automated fork tracking, to prevent this pattern from becoming widespread.
