mcp

Critical Anthropic’s MCP Vulnerability Enables Remote Code Execution Attacks

A critical architectural vulnerability in Anthropic’s Model Context Protocol (MCP) SDK exposes over 150 million downloads to remote code execution (RCE) attacks, potentially compromising up to 200,000 servers. Identified by OX Security, the flaw enables attackers to take full control of affected environments, gaining access to sensitive data and internal systems; despite recommendations, Anthropic has not applied a protocol-level fix, leaving several projects vulnerable.

https://cybersecuritynews.com/anthropics-mcp-vulnerability/

Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files

Check Point Research identified critical vulnerabilities in Anthropic’s Claude Code enabling remote code execution and API key theft through malicious project configurations. Attackers can exploit Hooks and Model Context Protocol to execute unauthorized commands and intercept API communications. All discovered vulnerabilities have been remediated by Anthropic. Developers must carefully scrutinize project configurations to prevent configuration-based attacks, treating them with the same caution as executable code.

https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/

New Prompt Injection Attack Vectors Through MCP Sampling

Palo Alto Networks' Unit 42 article discusses security risks associated with the Model Context Protocol (MCP) in coding applications. MCP enables large language models (LLMs) to connect with external services, but without safeguards, malicious servers can exploit it for various attacks. Key risks identified include resource theft, conversation hijacking, and covert tool invocation. The article presents proof-of-concept attacks demonstrating these vulnerabilities and emphasizes the need for effective prevention strategies. Additionally, it outlines MCP's structure and operational flow, detailing how sampling allows servers to request LLM responses. Overall, this creates potential attack vectors that necessitate robust security measures.

https://unit42.paloaltonetworks.com/model-context-protocol-attack-vectors/

OpenAI Codex CLI Vulnerability: Command Injection

CVE-2025-61260 – OpenAI Codex CLI Command Injection Vulnerability:
OpenAI Codex CLI is susceptible to command injection via project-local configurations, enabling attackers to execute arbitrary commands on developer machines without user consent. By manipulating .env and config.toml files, an attacker can leverage the automatic loading of MCP server entries to create a backdoor, allowing persistent remote access and command execution. This vulnerability compromises developer workflows and can propagate through supply chains. A fix was issued in version 0.23.0, blocking the unsafe redirection of configuration paths. Users are advised to update immediately.

https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/

When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems

Extreme TLDR: A new attack method, “agent session smuggling,” exploits AI agents' communication protocols (A2A) to inject harmful instructions during ongoing sessions, allowing malicious agents to manipulate and deceive victim agents. This dynamic threat leverages trust relationships and stateful interactions, making detection difficult. Mitigation strategies include human oversight, remote party verification, and context awareness. The research emphasizes the need for advanced security tools and proactive assessments to safeguard AI environments against evolving threats.

https://unit42.paloaltonetworks.com/agent-session-smuggling-in-agent2agent-systems/

First Malicious MCP in the Wild: The Postmark Backdoor That’s Stealing Your Emails

TLDR: Koi Security reveals a malicious npm package, postmark-mcp, that secretly copies emails to an external server. Version 1.0.16 introduced a BCC line that stealthily exfiltrates sensitive information from over 300 organizations. Trusting unknown developers with AI tools poses significant risk, especially as these tools run autonomously with full permissions. Immediate action is required to remove the compromised package and assess potential breaches.

https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft

Scroll to Top