The MCP ecosystem has grown faster than any comparable developer infrastructure in recent memory. From its initial release to the point Stein’s research documented it, the ecosystem accumulated 177,436 tools across 19,388 servers, with 78 million total server downloads and growth accelerating quarter over quarter. That velocity is a genuine achievement — it reflects the utility of the protocol and the productivity gains agents provide to developers who adopt it.
It is also an unvetted supply chain at enterprise scale. The same growth dynamic that produced 177,000 tools produced them without the security review infrastructure that established package ecosystems have built over decades. npm has mandatory 2FA for popular package maintainers, automated malware scanning, and a security team. The MCP ecosystem has none of these at the protocol level. What it has is organic community growth, organizational adoption decisions made on the basis of functionality rather than security posture, and an attack surface that scales with every new server deployment.
ShieldNet’s SC-Inject-Bench provides the first large-scale empirical measurement of what that attack surface looks like in practice. The findings close the gap between the theoretical risk the ecosystem represents and the documented reality of what adversaries have already built within it.
What SC-Inject-Bench Establishes
SC-Inject-Bench — Benchmark Design
SC-Inject-Bench is the first large-scale supply chain attack benchmark for MCP ecosystems. It contains 10,000+ malicious MCP tool definitions grounded in 25+ MITRE ATT&CK attack types — spanning initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, and exfiltration. Attack scenarios are drawn from real-world adversarial patterns, not synthetic test cases.
The benchmark was used to evaluate four categories of defense: MCP-specific scanners (Cisco AI Defense, Ramparts, Invariant Labs), semantic guardrails (LLM-based content analysis), network traffic analysis (ShieldNet), and combinations thereof. Performance was measured on detection rate and false positive rate across all 25+ attack categories.
F1 score achieved by ShieldNet’s network-level detection across SC-Inject-Bench’s 10,000+ malicious MCP tools — at a false positive rate of just 0.8%. Existing MCP scanners from Cisco AI Defense, Ramparts, and Invariant Labs performed substantially below this benchmark. Semantic guardrails (LLM-based content analysis) performed poorly against stealthy supply chain attacks. Network-level analysis of runtime traffic is the detection approach that changes the calculus.
The performance gap between network-level detection and existing scanners is not marginal. It is categorical. The reason is architectural: existing scanners operate on content — they examine tool definitions, descriptions, parameter schemas, and return value patterns for known-bad signatures. ShieldNet operates on network traffic — it analyzes the runtime behavior of tools, not their declared content, using a MITM proxy architecture that captures actual network calls and classifies them against expected behavioral patterns.
This distinction matters because the same property that makes DDIPE invisible to semantic content analysis — the attack embeds malicious logic in legitimate-looking documentation — also makes many MCP supply chain attacks invisible to content-scanning approaches. A malicious tool that declares a benign description and operates normally under inspection, but exfiltrates data when unobserved, presents no detectable signal to a scanner analyzing its declared content. It presents a clear behavioral signal to a network traffic analyzer observing what it actually does.
The Scale Problem: 177,000 Tools, One Protocol Standard
Stein’s ecosystem study provides the scale context that makes the SC-Inject-Bench findings significant beyond the benchmark itself. The 177,436 tools documented across 19,388 servers represent an attack surface that is already vast, already deployed in production environments, and already growing faster than any enterprise security team can manually review.
MCP tools documented across 19,388 servers as of the study’s measurement window — with 78 million total server downloads and trajectory accelerating. Official servers from commercial entities account for 45 million of those downloads despite representing only approximately 8.5% of the total tool count. The remaining 91.5% are community servers without the security review infrastructure of established commercial entities.
The 91.5% figure is the one enterprise security teams should be attending to. Official servers from commercial entities — Anthropic, Microsoft, Google, Stripe, and others — have organizational security programs, vulnerability disclosure processes, and reputational incentives to maintain security quality. Community servers have none of these institutional backstops. They are developed, deployed, and updated by individuals and small teams operating without the security infrastructure their enterprise adopters have assumed they possess.
This is not a criticism of community contributors. It is a structural description of how ecosystems grow. npm faced the same dynamic — early community packages that enterprise teams adopted without security review, followed by a long, painful process of building the review infrastructure that the ecosystem needed. The MCP ecosystem is at an early stage of that same process, without yet having built the tooling, norms, or institutional infrastructure that makes the review tractable.
The Action Tool Problem
Stein’s taxonomy distinguishes three tool categories by impact type: perception tools that read external state, reasoning tools that analyze data, and action tools that modify external environments. Action tools — the category with the highest supply chain risk, because a compromised action tool can write to systems, trigger processes, and exfiltrate data through its normal operation — represent a significant and growing share of the ecosystem’s tool count. The growth trajectory means that the proportion of high-impact tools in the ecosystem is increasing, not holding steady, as the ecosystem matures.
Why Application-Layer Scanning Has a Structural Ceiling
The gap between ShieldNet’s 0.995 F1 and the performance of existing MCP scanners is not primarily a product of implementation quality. It reflects a structural property of what each approach can observe.
What Content Analysis Can See
Tool definitions, descriptions, parameter schemas, and return value declarations. Known malicious signature patterns in tool metadata. Semantic anomalies in tool descriptions relative to the declared function. Static analysis of tool implementation code where accessible.
What it cannot see: behavioral patterns that emerge only at runtime. Tools that present benign declarations but execute differently when unobserved. Stealthy exfiltration through legitimate-looking network calls. Attack payloads triggered by specific runtime conditions that do not appear in static analysis.
Performance against stealthy supply chain attacks in SC-Inject-Bench: substantially below ShieldNet across all 25+ MITRE ATT&CK categories. The ceiling is structural, not implementational.
Content-Visible · Behavior-BlindWhat Behavioral Analysis Can See
Runtime network traffic generated by tool execution. Actual destinations, payloads, and timing patterns of network calls — not declared ones. Behavioral signatures that correspond to MITRE ATT&CK patterns even when tool declarations are clean. Anomalies between declared behavior and observed behavior.
ShieldNet’s architecture: MITM proxy intercepts all MCP tool network traffic. Structured event extraction converts raw traffic into behavioral feature vectors. Lightweight classifier maps feature vectors to attack categories. Operates without access to tool source code or documentation.
Performance: 0.995 F1 at 0.8% false positive rate across 10,000+ malicious tools. Stealthy attacks that evade content scanning are visible in network behavior because actual exfiltration produces network events that declared behavior does not.
Behavior-Observable · Declaration-IndependentThe right column describes a detection approach that is new to the agentic AI security stack but well-established in network security. MITM proxy architectures, behavioral traffic analysis, and anomaly detection on network events are foundational tools in enterprise security programs. The insight ShieldNet contributes is that these tools apply to the MCP supply chain problem in a way that content-scanning approaches structurally cannot — because the attack behaviors that matter are runtime behaviors, not declaration-time behaviors.
What Existing Scanners Catch — and Why It Matters
Framing the network-level detection advantage accurately requires acknowledging what application-layer scanners do well. Cisco AI Defense, Ramparts, and Invariant Labs address real attack vectors — known-signature supply chain attacks, obvious tool poisoning in metadata, and injection patterns visible in static analysis. These vectors are worth addressing. The organizations that have deployed these tools have closed a real part of the attack surface.
The SC-Inject-Bench performance data does not render those tools obsolete. It establishes that they address a bounded portion of the supply chain attack surface — the portion that is content-visible. The portion that is behavior-visible requires a different detection architecture. An enterprise that deploys only content-scanning has a structural detection ceiling. An enterprise that adds network-level behavioral analysis extends its coverage to the attack classes the scanner cannot reach.
The scanner sees what the tool says it does. The network proxy sees what the tool actually does. For stealthy supply chain attacks, those are not the same thing.
— Luminity Digital synthesis from arXiv:2604.04426, Yuan et al., April 2026The Enterprise Implementation Implications
Three implications follow for enterprise teams operating MCP-connected agentic deployments.
Treat the community MCP ecosystem as untrusted infrastructure. The 91.5% of ecosystem tools that come from community servers do not have the security review backstops of commercial entity servers. Enterprise adoption of community MCP servers should apply the same due diligence as enterprise adoption of open-source packages — version pinning, integrity verification, privilege scoping, and periodic security review. The growth velocity of the ecosystem makes this operationally demanding; the SC-Inject-Bench data makes it necessary.
Add network-level behavioral analysis to MCP security architecture. Content scanning for known signatures is a necessary baseline. It is not sufficient for the stealthy supply chain attack classes that SC-Inject-Bench documents. A MITM proxy architecture observing MCP tool network traffic — whether ShieldNet specifically or an equivalent behavioral analysis layer — provides coverage for the attack surface that declaration-time scanning structurally cannot reach. This is a deployment decision, not a research-stage aspiration: ShieldNet is implemented and evaluated at production scale.
Scope tool privileges to the minimum required for the declared function. A compromised action tool with credential access and external API invocation authority has a categorically different blast radius than a compromised perception tool with read-only access to a narrow data source. Privilege scoping does not prevent supply chain compromise — it bounds what a successful compromise can reach. In the context of an ecosystem where 26.1% of scanned skills exhibit vulnerabilities and behavioral scanning is still maturing, blast radius containment through privilege scoping is the most immediately actionable structural control.
The MCP supply chain problem is not a future risk — it is a present-state compromise at ecosystem scale. The detection approach that addresses stealthy attack classes is network-level behavioral analysis, not content scanning. ShieldNet establishes 0.995 F1 at 0.8% false positive rate against 10,000+ malicious tools — the detection calculus shifts when you move from what tools say they do to what they actually do. Post 3 of this series maps the defense architecture that closes the gap: provenance verification as the structural layer that neither content scanning nor behavioral analysis alone can provide.
