Security Exposure and Threat Landscape for Model Context Protocol (MCP) Servers
Security researchers evaluated the risks associated with deploying Model Context Protocol (MCP) servers, which enable AI systems like ChatGPT to interact with external tools and data. One investigation used the GitHub MCP server in conjunction with OpenAI's Codex to analyze code, identify security issues, and propose fixes, highlighting how AI agents can streamline code review and vulnerability management. The study also explored whether AI-driven code analysis could be manipulated to conceal security flaws, emphasizing the importance of context and transparency in automated security workflows.
Separately, honeypots simulating MCP server deployments were exposed to the internet to assess real-world attack activity. These honeypots, configured with varying authentication levels, were quickly discovered by internet scanners but did not experience targeted exploitation or MCP-specific attacks. The only notable incident was a controlled proof-of-concept prompt-hijacking flaw in a custom MCP build, which was not observed in the wild. The findings suggest that, while MCP servers are rapidly indexed by threat actors, current risks stem primarily from implementation errors rather than active targeting, underscoring the need for secure deployment practices and ongoing monitoring as MCP adoption grows.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Sysdig investigates security issues involving ChatGPT and the GitHub MCP server
Sysdig published research examining security issues related to ChatGPT integrations and the GitHub MCP server. The report added technical detail to emerging risks in the MCP ecosystem and highlighted specific concerns around this implementation.
GreyNoise publishes findings from deployed MCP honeypots
GreyNoise released a blog post describing what it learned from deploying honeypots targeting the Model Context Protocol (MCP) ecosystem. The publication indicates active security research and observed attacker or scanner behavior around MCP-exposed services.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Security Advancements and Risks in Model Context Protocol (MCP) Server Deployments
The increasing adoption of Model Context Protocol (MCP) servers to facilitate data access for artificial intelligence (AI) applications has introduced both new opportunities and security challenges for organizations. MCP servers, originally developed by Anthropic, have become a de facto standard for connecting AI models to various data sources, enabling more effective and context-aware processing of information. However, as these servers proliferate across IT environments, they have also emerged as a potential attack surface for cybercriminals seeking to exploit vulnerabilities for data exfiltration and unauthorized access. To address these risks, MCPTotal has launched a Secure MCP Platform that provides a centralized approach to managing and securing MCP server deployments. This platform employs a hub-and-gateway architecture, allowing organizations to catalog, authenticate, and monitor MCP servers through a graphical interface, ensuring only vetted servers are deployed. The Secure MCP Platform also functions as an AI-native firewall, capable of monitoring traffic, enforcing security policies in real time, and surfacing supply chain exposures, prompt injection vulnerabilities, rogue server activity, and authentication gaps. Traditional security tools and even some newer solutions designed for large language models (LLMs) are not equipped to monitor or control MCP-specific traffic, highlighting the need for specialized platforms like MCPTotal’s offering. In parallel, security vendors such as Sysdig and Snyk are leveraging AI-powered approaches to integrate static vulnerability findings with real-time cloud context, using MCP servers to bridge the gap between code-level vulnerabilities and live cloud exposures. This integration enables security teams to prioritize risks based on actual exposure and behavior, rather than being overwhelmed by theoretical vulnerabilities. The use of large language models (LLMs) and MCP servers allows for rapid correlation of security signals across domains, reducing manual effort and improving the accuracy of risk assessments. The dynamic nature of cloud workloads, including ephemeral containers and microservices, further complicates the security landscape, making real-time context and automated policy enforcement essential. By combining advanced AI techniques with secure MCP server management, organizations can better defend against both traditional vulnerabilities and emerging threats targeting AI infrastructure. The evolution of MCP server security reflects a broader trend toward context-aware, AI-driven security solutions that can adapt to the complexities of modern cloud environments. As MCP servers become more integral to AI operations, their security will be critical to maintaining data integrity and preventing sophisticated attacks. The industry’s response, as seen in the launch of secure hosting platforms and the integration of AI-powered risk analysis, demonstrates a proactive approach to safeguarding the next generation of AI-enabled systems. Organizations are encouraged to adopt these new security measures to ensure that the benefits of MCP servers and AI applications are not undermined by preventable security lapses. The convergence of AI, cloud, and secure protocol management marks a significant step forward in the ongoing effort to protect digital assets in an increasingly interconnected world.
Mar 21, 2026
Model Context Protocol (MCP) Security Risks From Untrusted Tool Servers and Verifiability Gaps
Security researchers warned that the *Model Context Protocol (MCP)*—used to let AI assistants connect to local tools and enterprise SaaS data—creates a significant attack surface when organizations install or authorize MCP “servers” and tool integrations. Praetorian highlighted that **locally hosted MCP servers run with the user’s privileges** and can therefore execute arbitrary commands, access local files, install malware, and exfiltrate data while masquerading as legitimate productivity tooling; it also described **“MCP server chaining,”** where a malicious local MCP server abuses data and actions flowing through a trusted remote integration (e.g., Slack/Google Drive) without needing to compromise the official provider. Separately, Gopher Security emphasized a **trust and auditability gap** in MCP deployments: standard logging for remote tool execution can be incomplete or tampered with, and organizations often cannot prove what code ran or what parameters were used inside a remote “black box” execution environment. The post described “puppet”/interception-style scenarios where an attacker could alter an MCP request (e.g., changing tool-call parameters to trigger data exfiltration or unauthorized actions) while returning plausible “success” responses, and proposed cryptographic approaches (e.g., **zero-knowledge proofs**) to make MCP tool execution verifiable rather than relying on mutable logs.
May 5, 2026
Security Risks and Assessment Tools for Model Context Protocol (MCP) Servers
The rapid adoption of the Model Context Protocol (MCP) is transforming how AI systems interact with external data sources, tools, and APIs, providing a standardized interface for large language models to connect with enterprise environments. While MCP offers significant convenience and interoperability, it also introduces new security challenges, including risks of prompt injection, tool poisoning, and data exfiltration, as attackers can exploit exposed tool descriptions and prompts to manipulate AI systems or compromise sensitive data. To address these emerging threats, the open-source tool Proximity has been released to scan MCP servers for exposed prompts, tools, and resources, enabling security teams to assess potential vulnerabilities before deployment. Proximity, when paired with the NOVA rule engine, allows analysts to write custom rules to detect suspicious or harmful content, such as prompt injection or jailbreak attempts, helping organizations proactively secure their AI integrations as MCP becomes increasingly prevalent in enterprise environments.
Mar 21, 2026