MCP Threat-Intel Feed
Daily snapshot diffs of the public MCP Registry, surfacing rug-pulls, silent removals, and third-party-API rotations.
Day-0 baseline: 21,962 servers ingested from the official MCP Registry on 2026-05-02.
Cadence: new snapshot at 02:00 UTC, diff + alerts at 02:30 UTC, every day.
What It Is
The MCP Threat-Intel Feed is the third leg of DugganUSA’s three-play strategy:
- Jeevesus — the reference MCP server, public threat model, score everyone else gets compared to.
- AIPM-for-MCP audit — 11-vector adversarial audit-as-deliverable.
- MCP Threat-Intel Feed — this page — daily snapshot diffs surfacing rug-pulls and TPA rotations across the registry.
Your AI workflow’s MCP servers are dependencies. Like every other dependency, they can change underneath you. This feed tells you when they do.
How It Works
Every night, two crons run against the registry:
| Cron | When (UTC) | Job |
|---|---|---|
mcp-registry-daily |
02:00 | Pull the full server list, hash each manifest, store the snapshot in the mcp_servers index. |
mcp-rugpull-daily |
02:30 | Diff the new snapshot against the previous one and emit findings to the mcp_findings index. |
The mcp_servers index started with 21,962 entries on 2026-05-02. It grows daily as new servers are published.
The mcp_findings index emits one record per change, classified into six finding types.
Finding Types
rug_pull
Server is replaced with a manifest pointing to a different identity, owner, or radically different tool surface — without a version bump that would normally signal it. The classic supply-chain attack pattern.
silent_remote
A tool’s declared behavior didn’t change, but the upstream remote it calls did — different host, different IP, different cert. The model’s expectations and the runtime reality have diverged.
status_flip
Server flips from verified / published to unverified / delisted / taken-down, or vice versa. Material when downstream automation pins by name rather than full identity.
new
A server that did not exist in the previous snapshot. Useful for “what’s new in the ecosystem” reporting; not by itself a security signal.
removed
A server present yesterday is gone today. Could be benign deprecation or an emergency takedown — the finding flags it for human eyes.
version_bump
Standard version increment with manifest changes. Classified separately so you can suppress noise from healthy maintenance while still catching rug_pull events.
Finding Schema
Every finding is a small, machine-readable record:
{
"id": "mcp-finding-2026-05-02-00012",
"finding_type": "rug_pull",
"server": "io.github.example/example-tools",
"first_seen": "2025-11-14T02:00:00Z",
"last_seen": "2026-05-02T02:00:00Z",
"snapshot_prev": "sha256:abc...",
"snapshot_curr": "sha256:def...",
"diff": {
"owner": ["[email protected]", "[email protected]"],
"tool_count": [3, 7],
"remote_endpoint": ["api.example.com", "cdn.unrelated.tld"]
},
"severity": "critical",
"confidence": 0.92,
"evidence_url": "https://analytics.dugganusa.com/api/v1/mcp/findings/mcp-finding-2026-05-02-00012"
}
Severity is computed from finding type, scope of change, and the server’s deployment footprint. rug_pull and silent_remote are the two finding types that ship as critical by default.
How to Subscribe
Same auth, same tiers, same key as the STIX feed and the Jeevesus MCP server.
Authorization: Bearer <your_api_key>
REST
# All findings since a timestamp
curl -H "Authorization: Bearer YOUR_API_KEY" \
"https://analytics.dugganusa.com/api/v1/mcp/findings?since=2026-05-01T00:00:00Z"
# Filter by finding type and severity
curl -H "Authorization: Bearer YOUR_API_KEY" \
"https://analytics.dugganusa.com/api/v1/mcp/findings?type=rug_pull&severity=critical"
# Findings for a specific server
curl -H "Authorization: Bearer YOUR_API_KEY" \
"https://analytics.dugganusa.com/api/v1/mcp/findings?server=io.github.example/example-tools"
Inside an MCP client
If you already use Jeevesus, the search tool reaches the mcp_findings index out of the box:
“Show me any rug-pull findings from the last 7 days against servers we have installed.”
Claude calls search with index=mcp_findings, filters, and returns the diffs directly in chat.
STIX 2.1 export
Every critical finding is also published as a STIX indicator + relationship pair into the standard STIX feed, so existing SIEM connectors light up without new wiring.
Tier Limits
Same shared quota as the rest of the platform:
| Tier | Daily query limit | Findings retention | SLA |
|---|---|---|---|
| Free | 25/day | 7 days | Community |
| Pro | 2,000/day | 90 days | 24h email |
| Enterprise | 50,000/day | unlimited | 4h response |
Critical-severity findings are pushed via webhook on the Pro and Enterprise tiers. Configure the webhook URL on your account page after registering.
See Also
- Jeevesus MCP Server — the reference implementation
- AIPM-for-MCP Audit — request an adversarial audit of any MCP server
- STIX 2.1 Feed Integration Guides — same auth, same data, different transport
📋 Last Updated: 2026-05-02 🛡️ Security.DugganUSA.com — Wu-Tang Financial: Share everything, hoard nothing