Session
Auditing the MCP Supply Chain
Every MCP server you install pulls in a supply chain you don't see: the npm or PyPI packages it depends on, the registry you fetched it from, and the official SDK it's built on.
Most teams never audit any of it. In 2026 that gap turned into real incidents.
- The postmark-mcp package silently BCC'd emails from 300+ organizations
- The Smithery registry breach exposed credentials for 3,243 hosted MCP apps through a single path traversal
- A design flaw in the official MCP SDKs allowed command execution over the STDIO transport, across 150 million downloads.
OWASP now lists supply chain as its own entry, MCP04, separate from tool poisoning and prompt injection.
This talk maps the MCP supply chain attack surface across its three layers: package, registry, and SDK and shows how to audit each one.
We'll cover what SBOM tooling catches, where it falls short on MCP specifically, and what a practical defense stack looks like in production.
You'll leave knowing how to audit an MCP server before you trust it.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top