Launched by Anthropic in late 2024, MCP acts because the plugin structure for agentic AI. In case your group isn’t scanning for, mapping or monitoring for MCP dangers, you will have a blind spot that grows each time a developer installs a brand new instrument. MCP takes “outdated” dangers corresponding to provide chain assaults, hardcoded credentials, privilege escalation, distant code execution and makes them new once more.
Right here’s how:
Shadow AI: You’ll be able to’t safe what you possibly can’t see
In 2025, researchers documented the primary confirmed malicious MCP server within the wild. The car was a npm bundle referred to as postmark-mcp, a instrument that helped builders combine AI assistants with the Postmark e-mail service. The attacker was affected person. They printed fifteen reputable variations over time, constructed up roughly 1,500 weekly downloads and earned real belief within the developer neighborhood. Then a model shipped with a single injected line of code that BCC’d each single outgoing e-mail to an exterior handle.
Round 300 organizations had been affected earlier than anybody seen. Password resets, invoices, inner memos, confidential paperwork — exfiltrated for weeks with out tripping a single alert. The tactic mirrors the SolarWinds playbook: Set up legitimacy first, corrupt later and depend on the truth that as soon as one thing is trusted, it stops being scrutinized.
