Vibe Coding
9,695 MCP Servers Audited: 5,832 Flagged, 2,259 Confirmed Exploitable — and Popularity Signals Don't Predict Security
A large-scale analysis across popular MCP directories found arbitrary file access, command injection, SSRF, and SQL injection at scale: 5,832 of 9,695 servers had security issues and 2,259 contained exploitable vulnerabilities beyond simple authentication gaps. The finding that should change your behavior is that stars, repository activity, and verification badges did not reliably correlate with security posture — the heuristics developers actually use to pick an MCP server are uninformative. A separate framework, MCPPrivacyDetector, found credentials, API keys, and PII leaking at rates exceeding 10% across 10,000+ real-world servers.
Source
↳ Follow the thread