Trust
MCP security
The MCP protocol has documented architectural attack patterns. AgentSeal scanned 1,808 MCP servers in 2025 and found 66% with security findings. Trust depends on knowing what the server does, who shipped it, and what it has access to.
Tool Poisoning
Hidden instructions inside a tool description hijack the model's interpretation at session start.
Cross-Server Shadowing
A malicious server's description rewrites the rules for another, trusted server's tools.
Rug Pulls
A server returns a benign description during install review and silently swaps in a malicious payload on subsequent launches.
Recent incidents
- Sept 2025 postmark-mcp: first confirmed malicious MCP server in the wild, silently BCC'd outgoing email.
- Oct 2025 Smithery registry path-traversal exposed a builder token with root access to 3,000+ hosted apps.
- Apr 2026 STDIO transport design flaw enabled authenticated RCE across 150M+ downloads.