The Evolving Security Landscape of MCP
Introduction: What is MCP?
The Model Context Protocol is an emerging open standard that defines how large language models and AI agents interact with external tools, services, and data sources.
Instead of every AI provider building its own proprietary “tool calling” system, MCP provides a common protocol (typically over JSON-RPC) to expose capabilities such as sending emails, querying databases, or managing files.
In practice, MCP consists of:
- MCP servers hosting one or more tools, each with declared functions, permissions, and capabilities
- MCP clients, typically LLM-powered agents, that orchestrate calls to these tools
- Transport layers like JSON-RPC messages carried over stdio, HTTP, or server-sent events
The protocol is meant to simplify integration and improve interoperability between AI models and enterprise systems. However, MCP also sits at a sensitive trust boundary: if a malicious or compromised server is introduced, the LLM may execute harmful operations without explicit user awareness.
Since its release, MCP has exhibited a paradoxical dynamic: the security issues that have emerged have outweighed the very problems it set out to solve. Each new case of a missing authentication, poisoned tool, malicious package, or vulnerable server, when not coupled with robust safeguards, tends to expand the attack surface rather than reduce it.
Our red team has also conducted research on this protocol and the systems that rely on it. During our investigation, we leveraged Shodan and identified several instances, many of them publicly exposed without any form of authentication.
For example:
2025 – Current Threat Landscape
Recent research and security advisories show that MCP’s security ecosystem is still maturing. Key risks include:
- Prompt Injection & Adversarial Prompts create malicious input that can coerce an LLM into misusing tools
- Tool Poisoning servers that appear benign but later update with hidden backdoors
- Data Exfiltration tools leaking environment variables, databases, or documents to attackers
- Server Spoofing where MCP servers are published with names similar to trusted ones
- Parasitic Toolchain Attacks (MCP-UPD) involving adversarial logic embedded in external documents that propagates via MCP
- Remote Code Execution (RCE) on poorly isolated MCP servers vulnerable to OS-level compromise
- Identity Fragmentation where weak authentication or stale credentials enables misuse
Audits of nearly 2,000 open-source MCP servers found over 7% contained general vulnerabilities, with more than 5% specifically exploitable through MCP mechanisms. Studies like MCPSecBench demonstrate that 85% of known attack types succeed on at least one platform.
A Wake-up Call: The Postmark-MCP Incident
In September 2025, security researchers uncovered a backdoored MCP server package on NPM called postmark-mcp. While it appeared to be a legitimate connector for the Postmark email API, a subtle one-line change in version 1.0.16 secretly forwarded every outgoing email to a remote attacker-controlled domain.
This meant sensitive communications (password resets, invoices, contracts) were silently exfiltrated. Because MCP agents typically invoke tools automatically, the theft could occur undetected:
This discovery, documented by Koi Security, highlights two critical realities of MCP today:
- Supply chain attacks are a real risk as malicious actors can slip poisoned code into NPM, PyPI, or other registries
- MCP tools carry “god-mode” risk, and once trusted, they can access data and systems at scale without safeguards
- The Postmark-MCP case serves as a powerful reminder: MCP tools must be treated as high-risk components, not plug-and-play utilities
Industry Response and Mitigations
The community is now actively working on countermeasures:
- Security tools like mcp-scan help detect exploitable behavior in MCP servers
- Registries and trust frameworks are being proposed to vet MCP servers before use
- Sandboxing and isolation strategies are gaining traction, such as running tools in controlled environments with limited privileges
- Best practices are emerging, including:
- Principle of least privilege for tools
- Strong authentication and encrypted transport
- Runtime validation and human approval for sensitive operations
- Code signing and supply chain integrity checks
- Continuous logging and anomaly detection to spot silent exfiltration
Looking Ahead
MCP represents a powerful vision: enabling AI systems to interact with the digital world through a standardized protocol. But with this power comes risk. The Postmark-MCP backdoor, along with multiple academic studies, makes it clear that attackers are already probing this ecosystem.
To ensure MCP’s safe adoption, organizations must:
- Treat every MCP tool as a potential attack surface
- Enforce defense-in-depth through isolation, monitoring, and approval workflows
- Stay aligned with ongoing security research and update their defenses accordingly
The evolving security landscape of MCP is both a warning and an opportunity: if stakeholders act decisively now, MCP can mature into a safe and trusted standard. If not, it risks becoming a repeat of past supply-chain crises.
These Solutions are Engineered by Humans
Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find cybersecurity issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.
Simone Ragonesi
Author
