The MCP Rug Pull - When the Tool You Trusted Yesterday Becomes Malicious Today

The Model Context Protocol (MCP) is having its npm moment. Hundreds of community-built servers expose database access, GitHub APIs, Slack, Notion, your local filesystem. You install one with a single line of config, and your agent picks up the new tools the next time it connects. The convenience is genuine. So is the attack surface that arrives with it.

There's a class of MCP-specific attacks that traditional supply-chain tooling doesn't catch - not because the tooling is bad, but because the threat model doesn't fit. Static SCA scanners check the package at install time. They have no story for what happens when a server's tool surface changes between sessions, while the package on disk is byte-identical.

That gap has a name now: the MCP rug pull.

What changed about the threat model

For decades, the supply-chain question has been: did this package get compromised? Tooling answers it with hashes, signatures, registry audits, dependency-graph analysis. The trust decision is bound to the artifact.