On April 23, 2026, two MCP packages were published to npm within hours of each other. An independent security audit by ReversingLabs Spectra Assure found that 0nmcp 4.5.1 passed every check across six security categories — no secrets, no vulnerabilities, no tampering, no malware. The same audit found that openclaw 2026.4.22 had 3 embedded web service credentials, was enumerating AWS secret access keys, contained HTTP request interception domains, and flagged 14 open issues across 190 detected behaviors.
This is what a potentially compromised MCP package looks like before it becomes a data breach.
The MCP Ecosystem Is Moving Fast
The MCP ecosystem is moving faster than any other layer of the AI infrastructure stack right now. Every week, new packages appear on npm claiming to connect Claude or other AI models to a growing list of services. Many of them are legitimate. Some of them are not.
The problem — the specific, dangerous, real problem — is that most people installing MCP packages have no process for telling the difference. They read the README. It looks useful. They run the install command. They configure it. They connect it to their Claude Desktop. And in doing so, they hand an unvetted piece of software access to every service credential in their environment.
The Audit Platform: ReversingLabs Spectra Assure
ReversingLabs Spectra Assure Community is an independent software supply chain security platform that performs static code analysis on npm packages. It evaluates packages across six categories: License compliance, Secrets detection, Vulnerability scanning, Code hardening, Tampering detection, and Malware analysis.
It is the same type of analysis platform used by enterprise security teams to vet open-source dependencies before deployment. The community version is free and publicly accessible at secure.software.
0nmcp 4.5.1 — PASS: Everything Is Awesome
The ReversingLabs scan of 0nmcp 4.5.1 returned a PASS result across all six security categories:
- Licenses: No compliance issues
- Secrets: No sensitive information found
- Vulnerabilities: None detected
- Hardening: No application hardening issues
- Tampering: No evidence of software tampering
- Malware: No evidence of malware inclusion
The behaviors detected in 0nmcp are documented and explainable: AES encryption for vault credential storage, Base64 encoding for data serialization, payment service URLs for Stripe/Square integration, and standard MCP server initialization on launch. Every behavior has a documented explanation. None are anomalous.
openclaw 2026.4.22 — WARNING: Risk: Secrets
The openclaw result is different. The scan returned a WARNING with risk level: Secrets. The assessment found 3 web service credentials embedded in the package code. The analysis flagged 14 open issues and 190 detected behaviors across 44 declared dependencies.
3 Web Service Credentials Found
The scanner detected plaintext credentials within network protocol strings — the pattern protocol://username:password@domain embedded within the package components. Hardcoded credentials in a package that installs into your environment and connects to AI models is not a configuration choice. It is a security failure.
AWS Secret Access Key Enumeration
The scan detected that openclaw enumerates an environment variable that holds an Amazon Web Services secret access key. This behavior is uncommon — found in zero packages in the Top 100 npm packages and only 21 packages in the Top 10,000. When a package enumerates your AWS_SECRET_ACCESS_KEY, it is reading the credential that controls access to your AWS account.
HTTP Request Interception Domains
The package sets up network interactions with domains commonly associated with HTTP request interception. This is a recognized indicator of data exfiltration or man-in-the-middle behavior.
Raw GitHub File URLs
The package contains URLs linking to raw files hosted on GitHub. Attackers often abuse popular web services to host malicious payloads because code-sharing service URLs are typically allowed by security solutions.
Why This Matters Right Now
The MCP ecosystem is in the same phase that npm was in before supply chain attacks became a mainstream security concern. The SolarWinds attack, the 3CX attack, the XZ Utils backdoor — in every case, the attack vector was the same: malicious code distributed through a trusted package channel.
MCP packages are uniquely dangerous because they sit between AI models and live service credentials. A compromised MCP server has access to API keys, database connections, payment processors, and communication channels. It is the highest-leverage attack surface in modern AI infrastructure.
How to Check Any MCP Package Before Installing
Navigate to: secure.software/npm/packages/[package-name]
This gives you license compliance, secrets scan, vulnerability scan, behavioral analysis, tampering detection, and malware scan. The scan takes under two minutes.
If the result is anything other than a clean PASS across all six categories, treat the package as untrusted.
The Bottom Line
0nmcp 4.5.1: PASS. 1,554 tools. 96 services. Independently audited. Certified clean.
openclaw 2026.4.22: WARNING. 3 embedded credentials. AWS key enumeration. 14 open issues. Do not install.
Check any MCP package before you install it. The tool is free. The risk of not checking is not.