« All posts

8 security layers for an MCP marketplace: what each one catches

A developer built 8 defense-in-depth security layers for an MCP marketplace after a trojan slipped through — here's what each layer actually catches.

After a real trojan (Win64/Lazy.PGPK) slipped through his MCP skill marketplace, a developer built a full defense-in-depth stack of 8 security layers now running in production. The layers span metadata checks (prompt-injection patterns, unscoped OAuth tokens), static analysis (hardcoded API keys, command injection, OSV dependency scanning), recursive package inspection that catches binaries and staged launcher scripts, 17 malware-family signatures, a WAF, honeypots, live abuse.ch threat-intel feeds, and automated quarantine.

The interesting part is how the layers complement each other's blind spots: the cheap metadata layer never inspects package contents, which is exactly how the trojan first got through — but the new layer that recursively opens nested zips and scans for Windows binaries and launcher scripts caught the same threat. Re-auditing all 14,581 skills in the catalog with the new layers turned up zero quarantines, since the one malicious skill had already been manually removed.

For engineers running MCP servers in production, the takeaway is that no single check is sufficient — effective marketplace security comes from stacking cheap and expensive layers together. Notably, the entire stack runs on Vercel's free tier, GitHub Actions, and a gVisor sandbox at zero monthly infrastructure cost.