March 29, 2026 · 6 min read

The MCP Ecosystem Just Hit 8,600 Servers. Here's What That Means.

In mid-2025, there were roughly 900 MCP servers. Today there are 8,600+. That's 873% growth in nine months. And not a single one went through a standardized security review before going live.

Published by GitIntel Research

TLDR

• MCP (Model Context Protocol) is the open standard that lets AI agents talk to external tools — databases, APIs, file systems, browsers.
• 8,600+ servers, 873% growth since mid-2025. Context7 is the most popular. Ecosystem includes Shopify, Slack, GitHub, Playwright, and thousands more.
• Zero standardized security vetting— any developer can publish an MCP server. No review process. No permission auditing. Qualys flagged MCP as a “shadow IT” risk.
• EU AI Act (August 2026)will require organizations to inventory and audit AI tool integrations. Most teams can't list which MCP servers their developers use today.

What Is MCP, and Why Should You Care?

Model Context Protocol (MCP) is an open standard, originally developed by Anthropic, that defines how AI agents interact with external tools. Think of it as USB for AI — a universal plug that lets any AI model talk to any service.

Before MCP, every AI integration was custom. Want Claude to read your database? Write a custom integration. Want it to control your browser? Another integration. Want it to access your Shopify store? Another one.

MCP standardizes this. An MCP server exposes a set of “tools” that any compatible AI client can discover and use. The server describes what it can do (in JSON Schema), and the AI decides when and how to call it.

# Example: configuring an MCP server in Claude Code
{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": ["@anthropic/mcp-playwright"]
    },
    "shopify": {
      "command": "npx",
      "args": ["@anthropic/mcp-shopify"],
      "env": {
        "SHOPIFY_ACCESS_TOKEN": "shpat_xxx"
      }
    }
  }
}

Simple configuration. Powerful capability. And therein lies the problem.

From 900 to 8,600 in Nine Months

The MCP ecosystem's growth curve looks less like adoption and more like a land grab. Here's the timeline:

Mid-2025: ~900 MCP servers. Mostly official Anthropic integrations and early adopter experiments.
Late 2025: Claude Code, Cursor, and Windsurf add native MCP support. Third-party server creation explodes.
January 2026: 3,000+ servers. First MCP directories and marketplaces appear.
March 2026: 8,600+ servers. 770+ indexed in skill directories. Context7 emerges as the most popular server. 95+ marketplaces listing MCP tools.

For comparison: the Chrome Web Store had about 8,500 extensions after its first two years. The MCP ecosystem reached the same scale in under a year.

The difference: Chrome extensions go through a review process. MCP servers don't.

The Security Problem Nobody's Solved

When you install an MCP server, you're giving an AI agent access to external systems on your behalf. A Playwright MCP server can control your browser. A database MCP server can read and write your data. A file system MCP server can access your local files.

Qualys, the enterprise security firm, published a report in March 2026 explicitly flagging MCP servers as a “shadow IT” risk — tools that employees install and use without IT visibility or approval.

The attack surface includes:

• Permission overreach— An MCP server that requests file system access to “read configs” could also read .env files, SSH keys, and credentials.
• Supply chain attacks — MCP servers are npm packages or binaries. A compromised dependency in an MCP server compromises every AI agent that uses it.
• Data exfiltration— An MCP server can send data anywhere. There's no sandboxing or network policy enforcement by default.
• Prompt injection via tools— A malicious MCP server can return tool results that manipulate the AI agent's behavior, causing it to take unintended actions with other tools.
• No audit trail— Most MCP servers don't log what the AI agent did with the tools it was given. If something goes wrong, there's no record of what happened.

The market is responding — Witness AI raised $58 million for shadow AI detection (500%+ ARR growth). Proofpoint acquired Acuvity for AI governance. OpenAI is acquiring Promptfoo for AI vulnerability testing. But these are enterprise solutions. The average developer installing MCP servers from GitHub has zero security tooling today.

What MCP Actually Enables (When It Works)

The security risks are real, but so are the capabilities. MCP is why AI coding tools went from “autocomplete that sometimes works” to “autonomous agent that deploys code.”

Development workflows. A developer using Claude Code with MCP servers for Playwright, GitHub, and their database can ask the AI to “write a test for the login flow, run it in a real browser, check the results, and open a PR with the fix if it fails.” That entire workflow runs without the developer touching the keyboard.

Business operations. Shopify's MCP servers let AI agents search product catalogs, create checkout sessions, and track orders. Slack's MCP server lets agents read channels, send messages, and search conversations. These aren't toy demos — they're production integrations used by real businesses.

Research and knowledge work. MCP servers for web browsing, document retrieval, and knowledge graphs let AI agents do multi-step research that previously required a human to manually hop between tabs and tools.

The tension is clear: MCP makes AI agents genuinely powerful, and that same power makes them genuinely dangerous when the tools they're connected to aren't audited.

The EU AI Act Makes This Urgent

The EU AI Act takes full effect in August 2026. Among its requirements: organizations must maintain an inventory of AI systems, document their risk profiles, and demonstrate adequate oversight of AI tool integrations.

For most engineering teams, this means answering questions like:

• Which MCP servers are installed on developer machines?
• What permissions do those servers have?
• What data can they access?
• Is there an audit trail of AI agent actions?
• Who approved the installation of each server?

If your answer to any of these is “we don't know,” you have four months to figure it out. The AI agent security market is projected to reach $52.6 billion by 2030 (MarketsandMarkets) precisely because most organizations can't answer these questions today.

What Developers and Teams Should Do Now

1. Inventory your MCP servers

Check your claude_desktop_config.json, .cursor/mcp.json, and project-level MCP configs. Know exactly which servers are running and what they have access to.

2. Audit permissions

For each MCP server, check: what tools does it expose? What environment variables (credentials, tokens) does it require? Does it need network access? Could it be replaced with a more restricted alternative?

3. Pin versions and verify sources

Don't install MCP servers from unverified GitHub repos. Pin to specific versions. Check the source code. Treat MCP server installation with the same diligence you'd apply to any dependency in your production stack.

4. Track what your AI agents are doing

Use gitintel scan to see which commits in your repo were produced by AI agents using these tools. Attribution is the first step toward accountability.

See what AI agents are writing in your repos.

GitIntel scans your git history for AI-generated commits. Local-first. No data leaves your machine.

# Install
curl -fsSL https://gitintel.com/install.sh | sh

# Scan any repo
cd your-repo
gitintel scan

View on GitHub

Open source (MIT) · Local-first · No data leaves your machine

Sources: SkillsIndex MCP Guide (2026), Qualys MCP Shadow IT Report (March 2026), Witness AI Series B ($58M), EU AI Act regulatory timeline, MarketsandMarkets AI Agent Security Forecast.