In the previous post, we made the case that developers are big targets of attack these days. Hardly a week goes by without some malware slipping into the open source package ecosystem. Developers are affected when they directly (or transitively) download the package.
This problem is made bigger because more code is being produced due to agentic coding technologies, such as Claude, Cursor, CoPilot, etc…
We now have to worry about agents pulling in dangerous packages. These packages can be dangerous due to a number of reasons:
We need a way for both developers as well as coding agents to select safe packages when they are building applications.
This is why we are releasing the boostsecurity safe package MCP server. By simply adding this MCP server to your coding agent of choice - you are helping the agent check on the packages BEFORE actually installing them, eliminating these types of supply chain risks.
There is no need to create an account. Just follow the instructions, and within a few minutes you’ll have more peace of mind…
Today, we support the following languages: Python (PyPI), Go (go modules), Typescript/Javascript (npm), Java (Maven), .NET (nuget).
The MCP server is tested and works with Cursor, Claude Code, Windsurf, VSCode, but can also run with very little tweaking in virtually every MCP client.
Let’s look at how it works inside Claude Code:
Step 1: Enable the MCP server
Step 2: Profit
In the example above, the safe packages MCP server detected a vulnerability that can be fixed by simply upgrading the package.
Had the package been a typosquat package, contained malware, or was unmaintained, the MCP server would have told the coding agent to find an alternative package for the reason specified. If stuck, it would consult the developer.
We live in exciting times. Unfortunately, these are dangerous times as well. This MCP server tackles one of the bigger risks.
Happy agentic coding !