
Security News
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.
@morphllm/morphmcp
Advanced tools
Fast & accurate MCP server with AI-powered file editing and intelligent code search. Prevents context pollution and saves time for a better user experience.
Unified Model Context Protocol (MCP) server providing AI-powered file editing and intelligent code search capabilities. Built on Morph's SDK for fast, accurate code operations.
| Variable | Description | Default |
|---|---|---|
MORPH_API_KEY | Your Morph API key (required for AI tools) | - |
ENABLED_TOOLS | Comma-separated list of enabled tools, or all | edit_file,fast_context_search |
MORPH_DEBUG | Enable debug logging for grep agent (true/false) | false |
ENABLE_WORKSPACE_MODE | Auto-detect workspace root (true/false) | true |
WORKSPACE_ROOT | Override workspace root directory | $PWD |
Control which tools are available using ENABLED_TOOLS. By default, only AI-powered tools (edit_file and fast_context_search) are enabled to keep the interface clean. Enable additional filesystem tools as needed:
# Default: Only AI-powered tools
# (No ENABLED_TOOLS needed - edit_file and fast_context_search are enabled by default)
# Enable all tools including filesystem operations
ENABLED_TOOLS=all
# Only AI-powered tools (explicit, same as default)
ENABLED_TOOLS=edit_file,fast_context_search
# Only fast apply
ENABLED_TOOLS=edit_file
# Only context search
ENABLED_TOOLS=fast_context_search
# Custom selection
ENABLED_TOOLS=read_file,write_file,edit_file,fast_context_search
edit_filePRIMARY TOOL FOR EDITING FILES - Efficiently edit existing files by smartly showing only changed lines. Uses Morph's Fast Apply model (via @morphllm/morphsdk) for intelligent code merging.
Key features:
// ... existing code ...Requires: MORPH_API_KEY
Note for Cursor users: If you're using this tool within Cursor, you may need to first use another tool (like search_replace) to add exactly one empty newline somewhere in the file before using edit_file. This ensures the file is in an editable state.
fast_context_searchIntelligently search and gather relevant code context from a repository using Morph's WarpGrep AI-powered search agent. Automatically explores the codebase with grep, file reading, and directory analysis to find exactly what you need.
Key features:
Example queries:
Requires: MORPH_API_KEY
Note: These tools are available but disabled by default. Set ENABLED_TOOLS=all to enable.
read_file - Read complete file contents with optional head/tail (memory-efficient for large files)read_multiple_files - Read multiple files simultaneouslywrite_file - Create or overwrite files with atomic writestiny_edit_file - Make small line-based edits with diff outputNote: These tools are available but disabled by default. Set ENABLED_TOOLS=all to enable.
create_directory - Create directories recursivelylist_directory - List directory contentslist_directory_with_sizes - List with file sizes and sortingdirectory_tree - Get recursive JSON tree structuremove_file - Move/rename files and directoriesNote: These tools are available but disabled by default. Set ENABLED_TOOLS=all to enable.
search_files - Recursively search with exclude patternsget_file_info - Get detailed file metadatalist_allowed_directories - Show accessible directoriesAdd to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"morph-mcp": {
"command": "npx",
"args": ["-y", "morph-mcp"],
"env": {
"MORPH_API_KEY": "sk-your-morph-api-key-here",
"ENABLED_TOOLS": "all"
}
}
}
}
Add to .cursor/mcp.json:
{
"mcpServers": {
"morph-mcp": {
"command": "npx",
"args": ["-y", "morph-mcp"],
"env": {
"MORPH_API_KEY": "sk-your-morph-api-key-here",
"ENABLED_TOOLS": "all"
}
}
}
}
One-liner installation:
claude mcp add morph-mcp -e MORPH_API_KEY=sk-your-morph-api-key-here -e ENABLED_TOOLS=all -- npx morph-mcp
{
"mcpServers": {
"morph-mcp": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"--mount", "type=bind,src=/Users/username/Desktop,dst=/projects/Desktop",
"morph-llm/morph-mcp", "/projects"
],
"env": {
"MORPH_API_KEY": "sk-your-morph-api-key-here",
"ENABLED_TOOLS": "all"
}
}
}
}
For quick installation, click the installation buttons below:
Or manually add to .vscode/mcp.json:
{
"mcp": {
"servers": {
"morph-mcp": {
"command": "npx",
"args": ["-y", "morph-mcp", "${workspaceFolder}"],
"env": {
"MORPH_API_KEY": "sk-your-morph-api-key-here",
"ENABLED_TOOLS": "all"
}
}
}
}
}
sk- or morph-For fast editing only:
{
"env": {
"MORPH_API_KEY": "sk-...",
"ENABLED_TOOLS": "edit_file"
}
}
For code search only:
{
"env": {
"MORPH_API_KEY": "sk-...",
"ENABLED_TOOLS": "fast_context_search"
}
}
For everything (including all filesystem tools):
{
"env": {
"MORPH_API_KEY": "sk-...",
"ENABLED_TOOLS": "all"
}
}
Default (AI tools only - recommended for most use cases):
{
"env": {
"MORPH_API_KEY": "sk-..."
// ENABLED_TOOLS defaults to edit_file,fast_context_search
}
}
In your AI assistant, try:
Ask AI: "Use the edit_file tool to add error handling to this function"
The AI will:
1. Read the current code (or use existing context)
2. Generate smart edit instructions with "// ... existing code ..."
3. Apply changes at 10,500+ tokens/sec using Morph's Fast Apply
4. Show you a git-style unified diff
5. Report errors (if any) to Morph for continuous improvement
Ask AI: "Use fast_context_search to find where JWT tokens are validated"
The WarpGrep agent will:
1. Explore the repository using grep, read, and analyse tools
2. Perform multi-round intelligent exploration
3. Find relevant code across multiple files
4. Return precise line ranges with full context (not entire files)
5. Display formatted XML output with line numbers
6. Show summary of tool calls made during search
@morph-llm/morph-fast-applyOld config:
{
"env": {
"MORPH_API_KEY": "sk-...",
"ALL_TOOLS": "false"
}
}
New config:
{
"env": {
"MORPH_API_KEY": "sk-...",
"ENABLED_TOOLS": "edit_file"
}
}
morph-codeseekOld config:
{
"env": {
"GREP_AGENT_API_KEY": "sk-..."
}
}
New config:
{
"env": {
"MORPH_API_KEY": "sk-...",
"ENABLED_TOOLS": "fast_context_search"
}
}
morph-mcp/
├── index.ts # Main server & tool registry
├── grep/ # Fast context search agent (WarpGrep)
│ ├── agent/ # Multi-round exploration logic
│ ├── tools/ # Grep, read, analyse, finish
│ └── utils/ # Ripgrep, file finder, logger
├── path-utils.ts # Path normalization & Windows/WSL support
├── path-validation.ts # Security validation
├── roots-utils.ts # MCP Roots protocol handling
└── @morphllm/morphsdk # Morph SDK integration (Fast Apply & WarpGrep)
MORPH_API_KEY=sk-...edit_file and fast_context_search are enabled. To enable all filesystem tools, set ENABLED_TOOLS=allENABLED_TOOLS listtail -f ~/Library/Logs/Claude/mcp*.log (Claude Desktop) or check stderr outputMORPH_DEBUG=trueMORPH_API_KEY is correctly setlist_allowed_directories tool)list_allowed_directories toolENABLE_WORKSPACE_MODE=true| Feature | Speed | Accuracy |
|---|---|---|
| Fast Apply (edit_file) | 10,500+ tok/sec | 98% |
| Context Search (WarpGrep) | Multi-round, <30s | High relevance |
| File Operations | Native speed | 100% |
Note: Performance metrics are based on Morph's production models. Actual performance may vary based on file size, complexity, and network conditions.
MIT License - See LICENSE file for details
Built by Morph - Making AI code editing fast and accurate.
FAQs
Fast & accurate MCP server with AI-powered file editing and intelligent code search. Prevents context pollution and saves time for a better user experience.
The npm package @morphllm/morphmcp receives a total of 4,614 weekly downloads. As such, @morphllm/morphmcp popularity was classified as popular.
We found that @morphllm/morphmcp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.