Four MCP packages, four ways the supply chain shifted in two weeks of npm monitoring By Michael K Onyekwere I monitor nearly a thousand published MCP packages on npm in real time. The pipeline polls the npm changes feed every two minutes, scans every newly-published version, and writes the result against the previous baseline. When a real package update drops the score below the confidence threshold, a public advisory is generated and the RSS feed updates. This post collects four worked examples from the last two weeks. The named packages are not malicious. The point is to make visible the kinds of routine changes a consumer would never see at install time, because the install path is npx -y <package> or an equivalent unpinned npm install that always pulls whatever version is current on the registry. 1. prism-mcp-server: four capabilities added in one major version bump This is the strongest single drift event of the period.…