
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
Unreal Engine Model Context Protocol Server - gives AI assistants deep read/write access to the Unreal Editor through 23 category tools covering 682+ actions, plus a YAML flow engine for multi-step workflows.
flowchart LR
AI[AI Assistant] -->|stdio| MCP[MCP Server<br/>TypeScript / Node.js]
MCP -->|WebSocket<br/>JSON-RPC| Plugin[C++ Bridge Plugin<br/>inside Unreal Editor]
Plugin -->|UE API| Editor[Editor Subsystems]
MCP -->|direct fs| FS[Config INI<br/>C++ Headers<br/>Asset Listing]
Blueprints, materials, levels, actors, animation, VFX, landscape, PCG, foliage, audio, UI, physics, navigation, AI, GAS, networking, sequencer, build pipeline — all programmable through natural language.
npx ue-mcp init
The interactive setup will:
.uproject (auto-detects in current directory)Restart the editor once after setup to load the bridge plugin. To update later: npx ue-mcp update
Then ask your AI:
project(action="get_status") — verify connection
level(action="get_outliner") — see what's in the level
asset(action="list") — browse project assets
If you prefer to configure manually, add to your MCP client config:
{
"mcpServers": {
"ue-mcp": {
"command": "npx",
"args": ["ue-mcp", "C:/path/to/MyGame.uproject"]
}
}
}
| Category | Examples |
|---|---|
| Levels | Place/move/delete actors, spawn lights and volumes, manage splines, actor bounds |
| Blueprints | Read/write graphs, add nodes, connect pins, compile, CDO property access |
| Materials | Create materials and instances, author expression graphs |
| Assets | CRUD, import meshes/textures/animations, datatables, mesh bounds/collision/nav |
| Animation | Anim blueprints, montages, blendspaces, skeletons |
| VFX | Niagara systems, emitters, parameters |
| Landscape | Sculpt terrain, paint layers, import heightmaps |
| PCG | Author and execute Procedural Content Generation graphs |
| Gameplay | Physics, collision, navigation, navmesh inspection, behavior trees, EQS, perception, PIE damage |
| GAS | Gameplay Ability System — attributes, abilities, effects, cues |
| Networking | Replication, dormancy, relevancy, net priority |
| UI | UMG widgets, editor utility widgets and blueprints, runtime delegate inspection |
| Editor | Console, Python, PIE, viewport, sequencer, build pipeline, logs |
| Reflection | Class/struct/enum introspection, gameplay tags |
Requires PythonScriptPlugin (ships with UE 4.26+).
If you clone this repo to contribute, install git-lfs first - the bundled test project stores .uasset / .umap via LFS and plain git clone will leave them as pointer files.
Issues and pull requests welcome. If an AI agent had to fall back to execute_python during your session, it will offer to submit structured feedback automatically — this helps us prioritize which native handlers to add next.
UE-MCP is licensed under the MIT License. Use it freely in personal, educational, and commercial projects. See LICENSE.
Contributions are accepted under the same MIT License (inbound contributions are licensed under the project's outbound license).
FAQs
Unreal Engine MCP server - 23 tools, 682+ actions for AI-driven editor control
The npm package ue-mcp receives a total of 3,576 weekly downloads. As such, ue-mcp popularity was classified as popular.
We found that ue-mcp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.