The shared context window architecture means a single malicious MCP server description can redirect every other connected tool without being called, and the defenses that eventually hardened npm — signing, sandboxing, provenance — do not yet exist as MCP protocol requirements.