Security researcher builds static scanner to catch hidden MCP tool poisoning attacks
A security researcher has developed an open-source tool called mcpscan after discovering that malicious instructions can be hidden inside MCP server manifests using invisible Unicode characters, such as zero-width spaces and bidirectional overrides, making them undetectable during code review. The attack class, known as tool poisoning, embeds harmful directives in tool metadata rather than executable code, causing AI agents to silently follow instructions like exfiltrating SSH keys or environment files. The threat is timely given the MCP ecosystem surpassed 14,000 public servers in 2026, with one 60-day period alone producing over 30 CVEs, nearly 43 percent of which involved command injection, and 492 servers found exposed without any authentication. mcpscan is a static, offline Python tool requiring no runtime dependencies that scans MCP manifests, Claude Code project directories, and source files for twelve categories of risk before installation. The tool and its deliberately vulnerable test fixtures are publicly available on GitHub for developers to audit MCP servers prior to deployment.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in