You wire up an MCP server. Maybe it's Stripe, maybe it's your Postgres database, maybe it's a filesystem server you found on GitHub last week. Your agent discovers the tools, reads their schemas, and now it can call them. You
MCP
A collection of 2 posts
Malicious npm Packages With Valid SLSA Provenance: Inside the TanStack Attack
On 11 May 2026, between 19:20 and 19:26 UTC, someone published 84 malicious versions across 42 @tanstack/* npm packages. Six minutes, start to finish. @tanstack/react-router alone pulls north of 12 million weekly downloads, so the blast radius