
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@morphllm/morphmcp
Advanced tools
Fast & accurate MCP server with AI-powered file editing and intelligent code search. Prevents context pollution and saves time for a better user experience.
Unified Model Context Protocol (MCP) server providing AI-powered file editing and intelligent code search capabilities. Built on Morph's SDK for fast, accurate code operations.
| Variable | Description | Default |
|---|---|---|
MORPH_API_KEY | Your Morph API key (required for AI tools) | - |
ENABLED_TOOLS | Comma-separated list of enabled tools, or all | edit_file,codebase_search |
MORPH_DEBUG | Enable debug logging for grep agent (true/false) | false |
ENABLE_WORKSPACE_MODE | Auto-detect workspace root (true/false) | true |
WORKSPACE_ROOT | Override workspace root directory | $PWD |
Control which tools are available using ENABLED_TOOLS. By default, only AI-powered tools (edit_file and codebase_search) are enabled to keep the interface clean. Enable additional filesystem tools as needed:
# Default: Only AI-powered tools
# (No ENABLED_TOOLS needed - edit_file and codebase_search are enabled by default)
# Enable all tools including filesystem operations
ENABLED_TOOLS=all
# Only AI-powered tools (explicit, same as default)
ENABLED_TOOLS=edit_file,codebase_search
# Only fast apply
ENABLED_TOOLS=edit_file
# Only semantic search
ENABLED_TOOLS=codebase_search
# Include fast_context_search (grep agent)
ENABLED_TOOLS=edit_file,codebase_search,fast_context_search
# Custom selection
ENABLED_TOOLS=read_file,write_file,edit_file,codebase_search
edit_filePRIMARY TOOL FOR EDITING FILES - Efficiently edit existing files by smartly showing only changed lines. Uses Morph's Fast Apply model (via @morphllm/morphsdk) for intelligent code merging.
Key features:
// ... existing code ...Requires: MORPH_API_KEY
Note for Cursor users: If you're using this tool within Cursor, you may need to first use another tool (like search_replace) to add exactly one empty newline somewhere in the file before using edit_file. This ensures the file is in an editable state.
codebase_searchSEMANTIC CODE SEARCH - Find code using natural language queries. Uses two-stage retrieval (vector search + GPU reranking) to find the most relevant code across your entire codebase.
Key features:
Requires: MORPH_API_KEY and code pushed to Morph git
How it works:
┌─────────────────────────────────────────────────────────────┐
│ SEMANTIC SEARCH LIFECYCLE │
└─────────────────────────────────────────────────────────────┘
1. CODE CHANGES 2. AUTO-SYNC (Plugin)
┌─────────────┐ ┌─────────────┐
│ Agent edits │ ──────────────────> │ git commit │
│ files │ │ + push │
└─────────────┘ └──────┬──────┘
│
▼
3. EMBEDDING (3-8s) 4. INDEXED & SEARCHABLE
┌─────────────────┐ ┌──────────────────┐
│ Code chunking │ │ PostgreSQL │
│ morph-v4-embed │ ────────────> │ pgvector (HNSW) │
│ Vector storage │ │ Ready for search │
└─────────────────┘ └────────┬─────────┘
│
▼
5. SEARCH QUERY 6. TWO-STAGE RETRIEVAL
┌─────────────────┐ ┌──────────────────┐
│ "Find auth │ │ Vector: top 50 │
│ logic" │ ────────────> │ Rerank: top 10 │
└─────────────────┘ │ ~1000ms total │
└────────┬─────────┘
│
▼
7. RESULTS 8. AGENT USES CONTEXT
┌─────────────────┐ ┌──────────────────┐
│ Ranked code │ │ Makes informed │
│ with scores │ ────────────> │ edits with │
│ + line numbers │ │ relevant context │
└─────────────────┘ └──────────────────┘
Setup: Install the morph-sync plugin to automatically sync code after every agent response. See Enable Semantic Search below.
Example queries:
fast_context_searchIntelligently search and gather relevant code context from a repository using Morph's WarpGrep AI-powered search agent. Automatically explores the codebase with grep, file reading, and directory analysis to find exactly what you need.
Key features:
Example queries:
Requires: MORPH_API_KEY
Note: These tools are available but disabled by default. Set ENABLED_TOOLS=all to enable.
read_file - Read complete file contents with optional head/tail (memory-efficient for large files)read_multiple_files - Read multiple files simultaneouslywrite_file - Create or overwrite files with atomic writestiny_edit_file - Make small line-based edits with diff outputNote: These tools are available but disabled by default. Set ENABLED_TOOLS=all to enable.
create_directory - Create directories recursivelylist_directory - List directory contentslist_directory_with_sizes - List with file sizes and sortingdirectory_tree - Get recursive JSON tree structuremove_file - Move/rename files and directoriesNote: These tools are available but disabled by default. Set ENABLED_TOOLS=all to enable.
search_files - Recursively search with exclude patternsget_file_info - Get detailed file metadatalist_allowed_directories - Show accessible directoriesAdd to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"morph-mcp": {
"command": "npx",
"args": ["-y", "morph-mcp"],
"env": {
"MORPH_API_KEY": "sk-your-morph-api-key-here",
"ENABLED_TOOLS": "all"
}
}
}
}
Add to .cursor/mcp.json:
{
"mcpServers": {
"morph-mcp": {
"command": "npx",
"args": ["-y", "morph-mcp"],
"env": {
"MORPH_API_KEY": "sk-your-morph-api-key-here",
"ENABLED_TOOLS": "all"
}
}
}
}
One-liner installation:
claude mcp add morph-mcp -e MORPH_API_KEY=sk-your-morph-api-key-here -e ENABLED_TOOLS=all -- npx morph-mcp
{
"mcpServers": {
"morph-mcp": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"--mount", "type=bind,src=/Users/username/Desktop,dst=/projects/Desktop",
"morph-llm/morph-mcp", "/projects"
],
"env": {
"MORPH_API_KEY": "sk-your-morph-api-key-here",
"ENABLED_TOOLS": "all"
}
}
}
}
For quick installation, click the installation buttons below:
Or manually add to .vscode/mcp.json:
{
"mcp": {
"servers": {
"morph-mcp": {
"command": "npx",
"args": ["-y", "morph-mcp", "${workspaceFolder}"],
"env": {
"MORPH_API_KEY": "sk-your-morph-api-key-here",
"ENABLED_TOOLS": "all"
}
}
}
}
}
sk- or morph-For fast editing only:
{
"env": {
"MORPH_API_KEY": "sk-...",
"ENABLED_TOOLS": "edit_file"
}
}
For semantic code search only:
{
"env": {
"MORPH_API_KEY": "sk-...",
"ENABLED_TOOLS": "codebase_search"
}
}
For everything (including all filesystem tools):
{
"env": {
"MORPH_API_KEY": "sk-...",
"ENABLED_TOOLS": "all"
}
}
Default (AI tools only - recommended for most use cases):
{
"env": {
"MORPH_API_KEY": "sk-..."
// ENABLED_TOOLS defaults to edit_file,codebase_search
}
}
For the codebase_search tool to work, code must be synced to Morph git. Install the morph-sync plugin:
In Claude Code:
/plugin install morph-sync
The plugin automatically commits and pushes code after every agent response, triggering embedding in the background (3-8 seconds).
In your AI assistant, try:
Ask AI: "Use the edit_file tool to add error handling to this function"
The AI will:
1. Read the current code (or use existing context)
2. Generate smart edit instructions with "// ... existing code ..."
3. Apply changes at 10,500+ tokens/sec using Morph's Fast Apply
4. Show you a git-style unified diff
5. Report errors (if any) to Morph for continuous improvement
Ask AI: "Find the authentication logic in this codebase"
The codebase_search tool will:
1. Query the embedded codebase using natural language
2. Vector search retrieves top 50 candidates (~240ms)
3. GPU reranking scores for precision (~630ms)
4. Return top 10 most relevant code chunks with scores
5. Include file paths, line numbers, and relevance percentages
6. Agent uses this context to make informed edits
Note: Requires code to be synced via morph-sync plugin
Ask AI: "Use fast_context_search to find where JWT tokens are validated"
The WarpGrep agent will:
1. Explore the repository using grep, read, and analyse tools
2. Perform multi-round intelligent exploration
3. Find relevant code across multiple files
4. Return precise line ranges with full context (not entire files)
5. Display formatted XML output with line numbers
6. Show summary of tool calls made during search
@morph-llm/morph-fast-applyOld config:
{
"env": {
"MORPH_API_KEY": "sk-...",
"ALL_TOOLS": "false"
}
}
New config:
{
"env": {
"MORPH_API_KEY": "sk-...",
"ENABLED_TOOLS": "edit_file"
}
}
morph-codeseekOld config:
{
"env": {
"GREP_AGENT_API_KEY": "sk-..."
}
}
New config:
{
"env": {
"MORPH_API_KEY": "sk-...",
"ENABLED_TOOLS": "fast_context_search"
}
}
morph-mcp/
├── index.ts # Main server & tool registry
├── grep/ # Fast context search agent (WarpGrep)
│ ├── agent/ # Multi-round exploration logic
│ ├── tools/ # Grep, read, analyse, finish
│ └── utils/ # Ripgrep, file finder, logger
├── path-utils.ts # Path normalization & Windows/WSL support
├── path-validation.ts # Security validation
├── roots-utils.ts # MCP Roots protocol handling
└── @morphllm/morphsdk # Morph SDK integration (Fast Apply & WarpGrep)
MORPH_API_KEY=sk-...edit_file and fast_context_search are enabled. To enable all filesystem tools, set ENABLED_TOOLS=allENABLED_TOOLS listtail -f ~/Library/Logs/Claude/mcp*.log (Claude Desktop) or check stderr outputMORPH_DEBUG=trueMORPH_API_KEY is correctly setlist_allowed_directories tool)list_allowed_directories toolENABLE_WORKSPACE_MODE=true| Feature | Speed | Accuracy |
|---|---|---|
| Fast Apply (edit_file) | 10,500+ tok/sec | 98% |
| Context Search (WarpGrep) | Multi-round, <30s | High relevance |
| File Operations | Native speed | 100% |
Note: Performance metrics are based on Morph's production models. Actual performance may vary based on file size, complexity, and network conditions.
MIT License - See LICENSE file for details
Built by Morph - Making AI code editing fast and accurate.
FAQs
Fast & accurate MCP server with AI-powered file editing and intelligent code search. Prevents context pollution and saves time for a better user experience.
The npm package @morphllm/morphmcp receives a total of 3,721 weekly downloads. As such, @morphllm/morphmcp popularity was classified as popular.
We found that @morphllm/morphmcp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.