Continuous monitoring caught a credential leak in a published MCP package. Six republishes later, it is still there. This is a disclosure writeup. It describes the case at the class level only. No credential values are quoted anywhere in this post. What was found The package is fa-mcp-sdk on npm. It is distributed as a Model Context Protocol SDK, which means it is installed by agent-framework tooling (Claude, Cursor, OpenAI agents, custom MCP clients) typically via npm install fa-mcp-sdk or npx -y fa-mcp-sdk . Because that install path runs without manual review in most agent setups, anything inside the published tarball reaches consumers immediately on first install. On 2026-04-19 a continuous scanner I run flagged the package on a fresh publish. The score dropped sharply, and the finding type was hardcoded_secret at critical severity. On manual review I found a file at package/config/local.yaml containing real production credentials.…