Securing agentic apps: How to vet the tools your AI agents depend on

In September 2025, an npm package named postmark-mcp was published, mimicking the official Postmark Labs MCP server with a near-perfect replica, including a plausible README and functional email capabilities. The package gained trust over 15 versions before introducing a line of code that secretly forwarded emails to an external address, highlighting vulnerabilities associated with agentic supply chains, where the runtime environment, unlike traditional supply chains that focus on build time, becomes the target. The rapid expansion of the MCP ecosystem has outpaced its security infrastructure, with numerous security vulnerabilities reported due to missing input validation, absent authentication, and blind trust in tool descriptions. The text emphasizes the need for robust security practices, including verifying server identity, pinning and validating tool definitions, and sandboxing third-party servers to mitigate risks. It also stresses the importance of ongoing review processes, considering both self-hosted and third-party hosted platforms for MCP servers to ensure security. Moreover, the article underscores the necessity of layering identity scoping, supply chain verification, and invocation policy controls to secure agentic applications effectively.