SAFE-MCP Audit #747: Unpinned npm Packages in .mcp.json Pose High Supply Chain Risk (T1102)

A high-severity supply chain vulnerability has been identified in the SAFE-MCP project's configuration, allowing for potential arbitrary code execution within the Claude Code developer environment. The issue, tracked as SAFE-T1102, stems from the use of `npx -y` commands without version pinning in the `.mcp.json` file. This configuration fetches and immediately executes the latest published version of two packages—`@awareness-sdk/local` and `@molecule-ai/mcp-server`—on every invocation, with no integrity checks or version locks in place.

The core risk is that a compromised npm publisher account, a dependency confusion attack, or a typosquatting incident could inject malicious code. This code would be executed automatically the next time the MCP servers are launched, directly impacting the security of the development workspace. The vulnerability was documented in SAFE-MCP audit #747, specifically flagged as NEW-003 in the linked security documentation.

The recommended fix involves a fundamental shift to secure software supply chain practices: pinning exact package versions, removing the `-y` flag that auto-accepts execution, committing a comprehensive lockfile to freeze the full dependency tree, and integrating `npm audit signatures` into the continuous integration pipeline. This case highlights the critical, often overlooked, risk of transient dependencies in tooling configurations that bridge AI development environments.