SecurityMarch 29, 2026 · 6 min read
The MCP Ecosystem Just Hit 8,600 Servers. Here's What That Means.
873% growth in nine months. 8,600+ MCP servers. Zero standardized security vetting. The protocol powering AI agents has a trust problem — and the EU AI Act deadline is four months away.
Published by GitIntel Research
TLDR
- • MCP (Model Context Protocol) is the open standard that lets AI agents talk to external tools — databases, APIs, file systems, browsers.
- • 8,600+ servers, 873% growth since mid-2025. Context7 is the most popular. Ecosystem includes Shopify, Slack, GitHub, Playwright, and thousands more.
- • Zero standardized security vetting — any developer can publish an MCP server. No review process. No permission auditing. Qualys flagged MCP as a "shadow IT" risk.
- • EU AI Act (August 2026) will require organizations to inventory and audit AI tool integrations. Most teams can't list which MCP servers their developers use today.
- Mid-2025: ~900 MCP servers. Mostly official Anthropic integrations and early adopter experiments.
- Late 2025: Claude Code, Cursor, and Windsurf add native MCP support. Third-party server creation explodes.
- January 2026: 3,000+ servers. First MCP directories and marketplaces appear.
- March 2026: 8,600+ servers. 770+ indexed in skill directories. Context7 emerges as the most popular server. 95+ marketplaces listing MCP tools.
- • Permission overreach —
An MCP server that requests file system access to "read configs"
could also read
.envfiles, SSH keys, and credentials. - • Supply chain attacks — MCP servers are npm packages or binaries. A compromised dependency in an MCP server compromises every AI agent that uses it.
- • Data exfiltration — An MCP server can send data anywhere. There's no sandboxing or network policy enforcement by default.
- • Prompt injection via tools — A malicious MCP server can return tool results that manipulate the AI agent's behavior, causing it to take unintended actions with other tools.
- • No audit trail — Most MCP servers don't log what the AI agent did with the tools it was given. If something goes wrong, there's no record of what happened.
- • Which MCP servers are installed on developer machines?
- • What permissions do those servers have?
- • What data can they access?
- • Is there an audit trail of AI agent actions?
- • Who approved the installation of each server?
See what AI agents are writing in your repos.
GitIntel scans your git history for AI-generated commits. Local-first. No data leaves your machine.
# Install
curl -fsSL https://gitintel.com/install.sh | sh
# Scan any repo
cd your-repo
gitintel scan
Open source (MIT) · Local-first · No data leaves your machine
Sources: SkillsIndex MCP Guide (2026), Qualys MCP Shadow IT Report (March 2026), Witness AI Series B ($58M), EU AI Act regulatory timeline, MarketsandMarkets AI Agent Security Forecast.
Related reading on GitIntel: