Last updated: July 2026 · Orchesis reference

Malicious MCP Server

A malicious MCP server is a Model Context Protocol server that appears to offer legitimate tools but is built or compromised to attack the AI agent that connects to it. It attacks through poisoned tool descriptions, stolen OAuth tokens and credentials, data exfiltrated inside tool results, or rug-pull updates that change a tool's behavior after it has been trusted. Because an AI agent treats an MCP server's tool list as trusted context, a single malicious server can hijack the agent's actions. The core defense is to treat every MCP server as untrusted input, pin and hash its tools, and route all MCP traffic through a security proxy.

How a malicious MCP server works

When an agent connects to an MCP server, it downloads a list of tools — each with a name, a natural-language description, and an input schema. The agent uses these descriptions to decide when and how to call tools, and it often forwards user credentials or OAuth tokens so the tool can act on the user's behalf. A malicious server abuses that trust at the discovery layer, before the user ever explicitly calls a tool.

Attack techniques

How to detect and prevent a malicious MCP server

  1. Allowlist servers — restrict which MCP servers an agent may connect to; block unknown origins.
  2. Pin and hash tool descriptions and alert on any change (rug-pull detection).
  3. Treat tool metadata as untrusted — never merge it into the agent's system-instruction channel.
  4. Scope credentials — issue least-privilege, short-lived tokens per tool instead of forwarding broad user credentials.
  5. Filter egress — allowlist outbound destinations so a compromised tool cannot exfiltrate data.
  6. Inspect MCP traffic with a security proxy between the agent and the server.

Context

Malicious MCP servers sit under the OWASP Top 10 for agentic applications and are catalogued in the CASURA taxonomy of AI-agent vulnerabilities. Independent scans in 2025 found that a large share of publicly listed MCP servers exposed tool descriptions that could be modified after installation, making rug-pull and tool-poisoning variants a practical concern. As one MCP security review put it: "You are not just calling a tool — you are importing whatever the server decides to say."

Sources: OWASP Agentic Security Project · Model Context Protocol specification · CASURA taxonomy (Orchesis). Reference maintained by Orchesis, an open-source AI-agent security proxy.