ToolTrust Scanner – detect backdoored MCP packages (litellm 1.82.8)

github.com · brian93512 · 9 days ago · view on HN · tool
quality 7/10 · good
0 net
Tags
backdoor-detection litellm package-management
# ToolTrust Scanner [![CI](https://github.com/AgentSafe-AI/tooltrust-scanner/actions/workflows/ci.yml/badge.svg)](https://github.com/AgentSafe-AI/tooltrust-scanner/actions/workflows/ci.yml) [![Security](https://github.com/AgentSafe-AI/tooltrust-scanner/actions/workflows/security.yml/badge.svg)](https://github.com/AgentSafe-AI/tooltrust-scanner/actions/workflows/security.yml) [![GitHub stars](https://img.shields.io/github/stars/AgentSafe-AI/tooltrust-scanner?style=social)](https://github.com/AgentSafe-AI/tooltrust-scanner/stargazers) [![Go Report Card](https://goreportcard.com/badge/github.com/AgentSafe-AI/tooltrust-scanner)](https://goreportcard.com/report/github.com/AgentSafe-AI/tooltrust-scanner) [![tooltrust-scanner MCP server](https://glama.ai/mcp/servers/AgentSafe-AI/tooltrust-scanner/badges/score.svg)](https://glama.ai/mcp/servers/AgentSafe-AI/tooltrust-scanner) [![npm](https://img.shields.io/npm/v/tooltrust-mcp?label=npm&color=blue)](https://www.npmjs.com/package/tooltrust-mcp) [![npm downloads](https://img.shields.io/npm/dm/tooltrust-mcp?label=npm%20downloads)](https://www.npmjs.com/package/tooltrust-mcp) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) **Scan MCP servers for prompt injection, data exfiltration, and privilege escalation before your AI agent blindly trusts them.** > **🚨 Supply-Chain Incident Coverage (March 2026)** > ToolTrust now detects and blocks confirmed supply-chain incidents including the LiteLLM / TeamPCP compromise and the malicious axios npm publish (`[email protected]`, `[email protected]`). For npm-backed MCP servers, ToolTrust now combines blacklist matches, lifecycle-script review, transitive lockfile recovery, and IOC matching such as `plain-crypto-js` to surface suspicious releases earlier. ![ToolTrust MCP demo](docs/mcp-demo.gif) ## Live UI ![ToolTrust Directory UI](docs/tooltrust-ui.png) - Browse the public directory: [https://www.tooltrust.dev/](https://www.tooltrust.dev/) - Look up historical grades for popular MCP servers - Review findings in a browser before installing or trusting a server ## What it looks like ``` Scan Summary: 14 tools scanned | 13 allowed | 1 need approval | 0 blocked Tool Grades: A×13 C×1 Findings by Severity: HIGH×1 MEDIUM×14 LOW×1 (16 total) Flagged Tools: • search_files 🟡 GRADE C needs approval [AS-002] High: Network access declared [AS-011] Low: Missing rate-limit or timeout Action now: Keep this tool on manual approval until the risky capabilities are reviewed. ``` ## 🤖 Let your AI agent scan its own tools Add ToolTrust as an MCP server in your `.mcp.json` and your agent can audit every tool it has access to: > **Note:** First run downloads a ~10MB Go binary from GitHub Releases. Subsequent runs use the cached binary. ```json { "mcpServers": { "tooltrust": { "command": "npx", "args": ["-y", "tooltrust-mcp"] } } } ``` Then ask your agent to run: - `tooltrust_scan_config` to scan all configured MCP servers - `tooltrust_scan_server` to scan one specific server - Full MCP tool list: [Usage guide](docs/USAGE.md#mcp-tools) ## 🔍 What it catches - Prompt injection and tool poisoning hidden in descriptions - Excessive permissions such as `exec`, `network`, `db`, and `fs` - Supply-chain CVEs and known compromised package versions - Suspicious npm lifecycle scripts that execute during install - Suspicious npm IOC dependencies and indicators such as `plain-crypto-js`, reviewed install-script patterns, malicious domains, and URLs referenced from published package metadata - Dependency visibility gaps when an MCP server does not expose enough metadata for supply-chain analysis - Privilege escalation and arbitrary code execution patterns - Typosquatting, tool shadowing, and insecure secret handling - Missing rate-limit, timeout, or retry configuration on risky tools ToolTrust now labels supply-chain coverage in scan output: - `No dependency data` - `Declared by MCP metadata` - `Verified from local lockfile` - `Verified from remote lockfile` - `Repo URL available` For live local scans, ToolTrust will also best-effort inspect common dependency artifacts when it can infer a project root from the launch command: - `package-lock.json` / `npm-shrinkwrap.json` - `pnpm-lock.yaml` - `yarn.lock` - `go.sum` - `requirements.txt` For remote GitHub repos exposed via `repo_url`, ToolTrust also inspects common lockfiles for transitive dependency evidence: - `package-lock.json` - `pnpm-lock.yaml` - `yarn.lock` - `go.sum` - `requirements.txt` Recent incident coverage includes: - LiteLLM `1.82.7` / `1.82.8` and related TeamPCP compromise indicators - Axios `1.14.1` / `0.30.4` malicious npm publish - npm metadata IOC detection for helper packages such as `plain-crypto-js` Full rule catalog: [docs/RULES.md](docs/RULES.md) · [tooltrust.dev](https://www.tooltrust.dev/) Threat-intel and IOC promotion flow: [docs/IOC_PIPELINE.md](docs/IOC_PIPELINE.md) Scanner scope guardrails: [docs/SCANNER_SCOPE.md](docs/SCANNER_SCOPE.md) ## More ways to use ToolTrust - CLI install, examples, and flags: [Usage guide](docs/USAGE.md#cli) - Scan-before-install workflow: [Gate docs](docs/USAGE.md#gate) - CI / GitHub Actions examples: [CI integration](docs/USAGE.md#github-actions) - Pre-commit / alias setup: [Pre-hook integration](docs/USAGE.md#pre-hook-integration) --- [Usage guide](docs/USAGE.md) · [Developer guide](docs/DEVELOPER.md) · [Contributing](docs/CONTRIBUTING.md) · [Changelog](CHANGELOG.md) · [Security](docs/SECURITY.md) · [License: MIT](LICENSE) © 2026 AgentSafe-AI
← Back to stories