MCP Servers Under the Microscope: Key Findings and Security Insights

Read full article from Clutch Security here: https://www.clutch.security/blog/mcp-servers-what-we-found-when-we-actually-looked/?utm_source=nhimg

The rapid explosion of Model Context Protocol (MCP) servers is creating a massive—and largely invisible—security gap inside modern enterprises. In just 13 months, MCP servers grew from 3 to 6,878 implementations—a staggering 2,200% increase. Yet security teams have almost no visibility into how these AI-driven automation tools operate inside their environment.

A Growing Shadow Ecosystem Inside Every Company

Analysis shows that in an average 10,000-person organization:

• 15.28% of employees run MCP servers

• Each uses ~2 servers, totaling 3,056 deployments

• 38% (1,161 servers) are unofficial, unverified community packages

• 86% of deployments run locally on developer machines

This means thousands of executions of unvetted, unreviewed code with direct access to secrets, credentials, local filesystems, and enterprise services.

The NHI Risk: Every MCP Server Requires Credentials

Every MCP server depends on Non-Human Identities (NHIs) such as:

• AWS access keys

• GitHub PATs

• Service account credentials

• OAuth tokens

• Database passwords

Developers store these secrets in plaintext .env files, JSON configs, local variables, or environment variables—giving MCP servers unrestricted access.

Local architecture makes this worse: these servers run with full user privileges, no sandboxing, and no credential isolation.

Why Security Tools Miss Everything

Traditional security controls cannot see or classify MCP server activity:

• Endpoint tools see only a normal Node/Python process

• Firewalls see encrypted outbound traffic

• CASB/SASE tools do not detect MCP as SaaS

• Package managers bypass all approval workflows

Security teams cannot answer basic questions:

• What MCP servers are running?

• Who installed them?

• What credentials do they access?

• Which servers are official vs. community?

A Supply Chain Problem Hiding in Plain Sight

Because npm, PyPI, and GitHub do not enforce verification, attackers can publish:

• Fake vendors (e.g., “salesforce-mcp-enhanced”)

• Typosquatted packages

• Insecure implementations

Shockingly, 3% of MCP servers contain hardcoded credentials—including AWS and Stripe keys—published directly in source code.

The Enterprise Exposure

Across 3,056 servers, organizations unknowingly connect MCP tooling to 115 enterprise services, including:

• AWS (5%)

• Atlassian (12.3%)

• GitHub (3.6%)

• Docker (4.7%)

• Terraform, Snowflake, Slack, Notion, Postgres, and more

Each integration exposes NHIs to code that security never reviewed.

Why This Problem Will Get Much Worse

The data shows this isn’t a temporary spike:

• MCP ecosystem is growing exponentially

• Unofficial implementations will remain high

• Developers will continue preferring local servers for speed and flexibility

• Package registries will remain unverified

• Security visibility will remain near zero until new controls exist

This is not theoretical risk—it’s active exposure.

The Bottom Line

The rise of MCP servers represents one of the largest emerging NHI security blind spots:

• Thousands of unmonitored tools

• Running as privileged local processes

• With direct access to enterprise credentials

• Distributed through untrusted registries

• Invisible to existing security technology

Organizations must adopt new visibility and governance solutions to monitor how MCP servers use credentials in real development workflows—or risk silently operating 1,161 unofficial MCP servers with access to their infrastructure.

That’s not strategy.
That’s a gamble.