The Model Context Protocol lets an agent load typed tools from a server: query a database, read a wiki, drive a browser. That convenience hides a trust decision. An MCP server is not a passive API definition; it is code you invite into the agent's loop. A local stdio server runs as a process on the endpoint with the developer's own privileges - the same access to files, secrets, and network position the human has at the keyboard.
Thousands of MCP servers circulate publicly with no central vetting, installed from registries, gists, and READMEs on the strength of a name and a star count. That makes the server layer a supply chain - attacked at the point of trust, not the point of use.
How the attack works
Installing a server executes its code, and connecting to it loads its tool definitions - names, descriptions, and parameter schemas - into the agent's context. Both are attack surface: the description is read by the model as instructions, and the server's output is read as fact. Worse, trust is granted once and rarely revisited, so an update can silently swap what a tool does or says, and a server that was benign when you vetted it can turn hostile on its next release. See the defender's guide to AI supply chain attacks.
Attack scenarios
- Lookalike and typosquatted servers. An attacker publishes a server whose name is one character or namespace off a popular one. The developer copies the wrong install line, and a credential-stealing process starts on the endpoint behind a plausible tool set.
- Rug pull on update. A widely used server ships a routine-looking release that quietly changes a tool's behavior or description. Because the trust prompt fired at first install, the malicious version loads without a second look, as in the MCPoison trust-bypass class, CVE-2025-54136.
- Tool-description poisoning. The exploit lives in the description string itself: hidden instructions telling the agent to read a secret file and pass its contents to the server, or to prefer this tool over a safe one. The developer never sees the text; the model always does.
- Malicious output and beachhead. A server returns output crafted to steer the agent while its process reads tokens and opens egress. Once resident it inherits every credential the agent holds, and a bug in a trusted server is just as dangerous, as the Atlassian MCP SSRF-to-RCE chain, CVE-2026-27825 shows.
Related techniques
- Prompt injection - poisoned descriptions and tool output are an injection channel, per prompt injection.
- Code execution by design - a local server runs untrusted code the moment it starts, per code execution and MCP stdio RCE by design.
- Excessive permissions - a compromised server is only as dangerous as its scope, per excessive MCP permissions.
Mitigations
- Inventory every installed server first. You cannot govern servers you cannot see. Know which are installed across the fleet, and their source, owner, and version, before reasoning about any single one.
- Treat install as a code-execution event. Vet servers the way you vet dependencies: pin versions, prefer known owners, and review what a server can reach before allowing it.
- Re-evaluate on change. Updates are where rug pulls land. Catch version and configuration drift and re-approve, rather than trusting the original decision forever.
- Enforce at the tool-call boundary, and keep the trail. The moment a poisoned description or output becomes action is a tool call. A hook that evaluates each call against policy before it runs turns a malicious server into a logged, denied attempt, and retaining those calls lets you investigate which server did what and when.
How Anomity helps
Anomity's lightweight, unprivileged Endpoint Sensor discovers every MCP server across Windows, macOS, and Linux endpoints and records each one's source, owner, version, and reach, so the server supply chain is enumerable instead of invisible. It surfaces updates and config changes as change events, which is exactly where a rug pull would otherwise slip through. On agents that expose a hook, such as Claude Code's PreToolUse, each tool call is allowed, denied, or logged before it runs, containing a server whose descriptions or output have turned hostile. Violations route to SIEM, Slack, email, and Jira, and every call lands in a queryable 90-day audit trail.




