The Model Context Protocolis an emerging open standard that defines how large language models and AI agents interact with external tools, services, and data sources.
Instead of every AI provider building its own proprietary “tool calling” system, MCP provides a common protocol (typically over JSON-RPC) to expose capabilities such as sending emails, querying databases, or managing files.
In practice, MCP consists of:
MCP servers hosting one or more tools, each with declared functions, permissions, and capabilities
MCP clients, typically LLM-powered agents, that orchestrate calls to these tools
Transport layers like JSON-RPC messages carried over stdio, HTTP, or server-sent events
The protocol is meant to simplify integration and improve interoperability between AI models and enterprise systems. However, MCP also sits at a sensitive trust boundary: if a malicious or compromised server is introduced, the LLM may execute harmful operations without explicit user awareness.
Since its release, MCP has exhibited a paradoxical dynamic: the security issues that have emerged have outweighed the very problems it set out to solve. Each new case of a missing authentication, poisoned tool, malicious package, or vulnerable server, when not coupled with robust safeguards, tends to expand the attack surface rather than reduce it.
Our red team has also conducted research on this protocol and the systems that rely on it. During our investigation, we leveraged Shodan and identified several instances, many of them publicly exposed without any form of authentication.
For example:
2025 – Current Threat Landscape
Recent research and security advisories show that MCP’s security ecosystem is still maturing. Key risks include:
Prompt Injection & Adversarial Prompts create malicious input that can coerce an LLM into misusing tools
Tool Poisoning servers that appear benign but later update with hidden backdoors
Data Exfiltration tools leaking environment variables, databases, or documents to attackers
Server Spoofing where MCP servers are published with names similar to trusted ones
Parasitic Toolchain Attacks (MCP-UPD) involving adversarial logic embedded in external documents that propagates via MCP
Remote Code Execution (RCE) on poorly isolated MCP servers vulnerable to OS-level compromise
Identity Fragmentation where weak authentication or stale credentials enables misuse
Audits of nearly 2,000 open-source MCP servers found over 7% contained general vulnerabilities, with more than 5% specifically exploitable through MCP mechanisms. Studies like MCPSecBenchdemonstrate that 85% of known attack types succeed on at least one platform.
A Wake-up Call: The Postmark-MCP Incident
In September 2025, security researchers uncovered a backdoored MCP server package on NPM called postmark-mcp. While it appeared to be a legitimate connector for the Postmark email API, a subtle one-line change in version 1.0.16 secretly forwarded every outgoing email to a remote attacker-controlled domain.
This meant sensitive communications (password resets, invoices, contracts) were silently exfiltrated. Because MCP agents typically invoke tools automatically, the theft could occur undetected:
Supply chain attacks are a real risk as malicious actors can slip poisoned code into NPM, PyPI, or other registries
MCP tools carry “god-mode” risk, and once trusted, they can access data and systems at scale without safeguards
The Postmark-MCP case serves as a powerful reminder: MCP tools must be treated as high-risk components, not plug-and-play utilities
Industry Response and Mitigations
The community is now actively working on countermeasures:
Security tools like mcp-scan help detect exploitable behavior in MCP servers
Registries and trust frameworks are being proposed to vet MCP servers before use
Sandboxing and isolation strategies are gaining traction, such as running tools in controlled environments with limited privileges
Best practices are emerging, including:
Principle of least privilege for tools
Strong authentication and encrypted transport
Runtime validation and human approval for sensitive operations
Code signing and supply chain integrity checks
Continuous logging and anomaly detection to spot silent exfiltration
Looking Ahead
MCP represents a powerful vision: enabling AI systems to interact with the digital world through a standardized protocol. But with this power comes risk. The Postmark-MCP backdoor, along with multiple academic studies, makes it clear that attackers are already probing this ecosystem.
To ensure MCP’s safe adoption, organizations must:
Treat every MCP tool as a potential attack surface
Enforce defense-in-depth through isolation, monitoring, and approval workflows
Stay aligned with ongoing security research and update their defenses accordingly
The evolving security landscape of MCP is both a warning and an opportunity: if stakeholders act decisively now, MCP can mature into a safe and trusted standard. If not, it risks becoming a repeat of past supply-chain crises.
These Solutions are Engineered by Humans
Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find cybersecurity issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.
Simone Ragonesi
Offensive Security Technical Lead | Würth IT Italy
The code is the structure, the LLM is the glue at the joints. There's a widespread misconception about automations “powered by artificial intelligence”: People picture a model you give an order to, which then carries out a complex operation from Read More
Model selection, infrastructure sizing, vertical fine-tuning and MCP server integration. All explained without the fluff. Why Run AI on Your Own Infrastructure? Let's be honest: over the past two years, LLMs have evolved from a tool perceived as experimental and Read More
Hi! Today I'd like to discuss a bit a quite hot topic in this world newly full of LLMs, namely MCP Servers! We'll first see what MCP is and why it was created, moving then to a short hands-on with Read More