The npm/Docker/PyPI supply chain security pattern is repeating with MCP, and we are at the 2015 moment

The sequence is always the same: registry launches and grows fast, minimal vetting because the priority is growth, first wave of incidents, community outrage, tooling catches up, security becomes a baseline expectation. npm took about three years to go from event-stream to `npm audit` being standard. Docker Hub took similar. MCP is at step 2 heading into step 3. The numbers from a scan of 500 Smithery servers this month: 18.8% had security findings, 6 had live hardcoded credentials, none were caught by a pre-publication scan because there is no pre-publication scan. A Check Point research disclosure in February showed an 8.7 CVSS attack chain against Claude Code where the entire payload was natural language in a config file. The difference from npm is what the malicious content does. An npm package executes unauthorized code. A malicious MCP skill file gives unauthorized instructions to an agent that already has access to your tools, file system, and APIs. The LLM cannot distinguish between instructions from the user and instructions from a skill file. Both arrive in the context window and both get acted on. Existing security tooling has no model for this. The fix is the same three layers it always is: pre-publication registry scanning, CI integration for consumers, and a public advisory database. None of the three exist yet in any mature form for MCP. Whether the timeline is one year or three depends on whether registry operators move proactively or wait for a sufficiently public incident. Based on how npm and Docker played out, my bet is on the incident coming first. We built a static scanner for this: `pip install bawbel` \- scans skill files and MCP server configs without executing anything. The vulnerability database it checks against the AVE.