Clutch Security — 95% of enterprise MCP servers run on endpoints with zero security visibility
• Category: Security
AI relevance: MCP servers are the primary tool-access layer connecting AI agents to enterprise APIs, databases, and file systems; this analysis shows the deployment layer is overwhelmingly unmanaged shadow IT running with full developer privileges and no security monitoring.
- Clutch Security analyzed MCP server deployments across enterprise environments and found that in a typical 10,000-person organization, approximately 1,528 employees (15.28%) are running an average of 2 MCP servers each — totaling 3,056 deployments.
- 38% of deployed MCP servers (1,161 per 10k org) are unofficial community packages from unknown or anonymous authors on npm and GitHub — not vendor-published, not audited, and not approved by security teams.
- 86% of users choose local MCP architecture over remote alternatives, meaning the server code runs directly on developer endpoints with full filesystem access, no sandboxing, and no credential isolation.
- 95% of MCP servers run on employee endpoints where traditional security tools have no MCP-specific detection capabilities. The remaining 5% run in production environments (CI pipelines, Kubernetes pods, cloud workloads) with even broader credential access.
- 3% of published MCP servers contain valid, hardcoded credentials in their source code — AWS keys, GitHub tokens, Anthropic API keys, Stripe keys — active secrets embedded in packages on npm and GitHub.
- Installation requires no security approval and generates no alert: a developer runs
npm install -gornpx -yand within seconds, arbitrary code from an unknown author has full access to their credentials and filesystem. - The 3,056 servers connect to 115 distinct enterprise services including AWS (5.0%), Atlassian (12.3%), GitHub (3.6%), Docker (4.7%), Terraform, Postgres, Snowflake, Slack, and 107 others.
- Package registries (npm, PyPI) provide no meaningful verification — no code signing required, anonymous repository creation, unprotected package names, and easily manipulated download/star counts.
Why it matters
- This is the first data-driven measurement of MCP deployment patterns in real enterprise environments, and the picture is worse than most threat models assumed — it is effectively unmanaged shadow IT at scale.
- While the Check Point/Lakera audit showed 40% of MCP servers have exploitable vulnerabilities, Clutch's analysis shows the deployment layer is equally broken: unvetted code, plaintext credentials, and zero security visibility across 95% of installations.
- The combination of local execution (86%), unknown authors (38%), and hardcoded credentials (3%) creates a supply-chain attack surface where a single malicious or compromised npm package can harvest secrets from thousands of developer machines.
- Security teams cannot answer basic questions: what MCP servers exist, which are official vs. community, what credentials are configured, what network connections they make, or what actions they perform.
What to do
- Discover and inventory: Enumerate all MCP server processes on endpoints and production infrastructure — most security tools don't distinguish MCP server processes from normal
nodeorpythonexecution. - Classify official vs. unofficial: Map each deployed server to its source package and determine whether it's a vendor-published implementation or anonymous community code.
- Audit credential storage: Scan
.envfiles, JSON configs, and environment variables on developer machines for plaintext secrets being consumed by MCP servers. - Enforce remote-first architecture: Prefer vendor-hosted remote MCP servers where credentials never leave the hosting environment; restrict local server installation to an approved allowlist.
- Monitor package installs: Instrument npm/PyPI install activity on endpoints to flag MCP-related packages and route them through a lightweight review process before execution.