{"slug": "i-built-8-security-layers-for-an-mcp-marketplace-here-s-what-each-one-actually", "title": "I built 8 security layers for an MCP marketplace. Here's what each one actually catches.", "summary": "Edison Flores of AliceLabs LLC built eight security layers for the MCP marketplace at marketnow.site after a trojan (Trojan:Win64/Lazy.PGPK!MTB) slipped through a nested zip file. The layers include metadata scanning, static analysis, binary scanning, YARA rules, a web application firewall, honeypots, IOC feeds from abuse.ch, and sandboxed execution. A re-audit of all 14,581 skills found zero in quarantine, and the infrastructure costs $0 per month.", "body_md": "After a real trojan slipped through my MCP marketplace last week (`Trojan:Win64/Lazy.PGPK!MTB`\n\nhidden in a nested zip), I went deep on defense-in-depth. The result is 8 layers running in production at [marketnow.site](https://marketnow.site).\n\nHere's what each layer actually catches — with concrete examples.\n\nThe cheapest layer. Runs on every skill's metadata (name, description, system_prompt, install command).\n\n**Catches:**\n\n`Access-Control-Allow-Origin: *`\n\n**Doesn't catch:** anything inside the actual package zip. That's why the trojan got through initially.\n\n18 Semgrep-equivalent rules + 18 secret detection patterns + OSV dependency vulnerability check.\n\n**Catches:**\n\n`sk_live_*`\n\n, GitHub `ghp_*`\n\n, AWS `AKIA*`\n\n)`exec(req.body)`\n\n)`fetch(req.url)`\n\n)`readFile(req.params.path)`\n\n)`read_file`\n\nto impersonate the official one)**Doesn't catch:** secrets inside code blocks in README (we strip those — false positives), `process.env.X`\n\nreferences (variable lookups, not hardcoded).\n\nThis is the layer I built *after* the trojan incident. It opens the actual package zip (recursively — zips inside zips) and scans for:\n\n`.exe`\n\n, `.dll`\n\n, `.scr`\n\n, `.msi`\n\n) → instant quarantine`.bat`\n\n, `.cmd`\n\n, `.vbs`\n\n, `.ps1`\n\n) → instant quarantine`start X.exe Y.txt`\n\npattern — the exact prospector trojan signature)`function(o,R,F,U,b,p,E,M,Z,W,...)`\n\n)`raw.githubusercontent.com/.../...zip`\n\n)`-encodedcommand`\n\n`eval(atob(...))`\n\n**Catches:** the exact trojan that hit us. Verified with a smoke test that scans the original malicious zip from git history.\n\nYARA-equivalent rules for specific malware families:\n\nEach rule has a MITRE ATT&CK technique ID. Any match → instant quarantine.\n\nInspects every incoming HTTP request for attack patterns:\n\n`../`\n\n, encoded `%2e%2e`\n\n, `/etc/passwd`\n\n, `/proc/self`\n\n, Windows paths`file://`\n\n, `gopher://`\n\n, `dict://`\n\n`$()`\n\n, chained `; ls`\n\n, pipe `| cat`\n\n, `&& ||`\n\n`$where`\n\n, `$ne`\n\n, `$gt`\n\n`__proto__`\n\n, `constructor.prototype`\n\n`{{ }}`\n\n, Twig `{% %}`\n\n, JS `${ }`\n\nwith header injection**Auto-ban** after 5 WAF hits in 10 minutes (1-hour ban).\n\nFake vulnerable paths that auto-ban scanners for 24 hours:\n\n`/.env`\n\n→ serves a fake env file with canary tokens`/admin`\n\n→ serves a fake admin login form`/wp-admin`\n\n→ serves a fake WordPress login`/.git/config`\n\n→ serves a fake git config`/.aws/credentials`\n\n→ serves fake AWS credentials`/.ssh/id_rsa`\n\n→ serves a fake SSH key`/phpmyadmin`\n\n→ serves a fake phpMyAdmin`/backup.sql`\n\n→ serves a fake database dump`/server-status`\n\n, `/.DS_Store`\n\n, `/web.config`\n\n, `/Dockerfile`\n\n, etc.Any access → IP banned 24h + logged publicly at `/api/security?view=honeypot`\n\n.\n\nReal-time IOC feeds from abuse.ch:\n\nUsed to check skill source URLs and file hashes. If a skill's source URL is in URLhaus, it gets quarantined.\n\nIf any layer flags a skill as critical/high:\n\n`_data/quarantine/`\n\n`skills_index.json`\n\n)`/api/security?view=quarantine`\n\nfor transparencyRe-audited all 14,581 skills with the new layers.\n\n**Result: 0 skills in quarantine.**\n\nThe catalog was clean — the only malicious skill (prospector-email-finder) had already been removed manually. The 8 layers now run on every new skill import and every weekly batch re-audit.\n\n`--network none`\n\n, `--read-only`\n\n, `--cap-drop ALL`\n\n)Total infrastructure cost: $0/month. The marketplace is free. The security infrastructure is the product.\n\n`npx -y marketnow-mcp`\n\nNot selling anything. Looking for feedback from people who run MCP servers in production — what would make you trust a marketplace enough to install skills from it?\n\n— *Edison Flores, AliceLabs LLC*", "url": "https://wpnews.pro/news/i-built-8-security-layers-for-an-mcp-marketplace-here-s-what-each-one-actually", "canonical_source": "https://dev.to/edison_flores_6d2cd381b13/i-built-8-security-layers-for-an-mcp-marketplace-heres-what-each-one-actually-catches-49fc", "published_at": "2026-07-16 00:48:40+00:00", "updated_at": "2026-07-16 01:35:51.649315+00:00", "lang": "en", "topics": ["ai-safety", "ai-infrastructure", "developer-tools"], "entities": ["Edison Flores", "AliceLabs LLC", "marketnow.site", "Trojan:Win64/Lazy.PGPK!MTB", "abuse.ch", "MITRE ATT&CK"], "alternates": {"html": "https://wpnews.pro/news/i-built-8-security-layers-for-an-mcp-marketplace-here-s-what-each-one-actually", "markdown": "https://wpnews.pro/news/i-built-8-security-layers-for-an-mcp-marketplace-here-s-what-each-one-actually.md", "text": "https://wpnews.pro/news/i-built-8-security-layers-for-an-mcp-marketplace-here-s-what-each-one-actually.txt", "jsonld": "https://wpnews.pro/news/i-built-8-security-layers-for-an-mcp-marketplace-here-s-what-each-one-actually.jsonld"}}