All news with #mcp security tag

🔐 AWS introduced standardized IAM context keys for its managed remote Model Context Protocol (MCP) servers so AI agents can operate with existing IAM credentials while enabling distinct governance controls. The two keys — aws:ViaAWSMCPService (boolean) and aws:CalledViaAWSMCP (string) — let you allow or deny MCP-initiated actions and restrict access to specific MCP servers. AWS will also simplify public endpoint authorization so AI calls use standard IAM permissions (no separate MCP actions) and plans to add VPC endpoint support for private-network enforcement and two-stage authorization.

🐛 Socket researchers disclosed an active npm supply-chain campaign dubbed SANDWORM_MODE that leverages typosquatted packages to infiltrate developer machines, CI pipelines, and AI coding assistants. The malicious packages (at least 19 observed) harvest npm and GitHub tokens, environment secrets, and cloud keys, then use stolen credentials to modify repositories and amplify via weaponized GitHub Actions. The campaign also injects a malicious MCP server into AI tool configs to enable prompt-injection exfiltration, includes a dormant polymorphic engine, and implements a configurable 'dead switch' that can wipe home directories.

🤖 Amazon Web Services today announced that Amazon Aurora DSQL now integrates with Kiro powers and AI agent skills to accelerate database-backed application development. The integration packages the Aurora DSQL Model Context Protocol (MCP) server with development best practices so AI agents can assist with schema design, performance tuning, and routine database operations out of the box. Kiro powers provides a curated registry of MCP servers, steering files, and agent hooks with one-click installation in the Kiro IDE. The Aurora DSQL skill extends the same guidance to other agent ecosystems via a Skills CLI, allowing agents to dynamically load Postgres-compatible SQL patterns, distributed design advice, and IAM authentication guidance.

🔌 Google Cloud now offers managed MCP servers for databases and developer tooling, enabling MCP-compliant AI agents (including Gemini) to access data and infrastructure without deploying additional infrastructure. The expansion adds AlloyDB for PostgreSQL, Spanner, Cloud SQL, Bigtable and Firestore, plus a Developer Knowledge MCP server for IDE documentation access. These servers use IAM-based authentication and Cloud Audit Logs for observability and governance, letting teams scale agentic workloads securely.

🛡️Researchers at Straiker's AI Research (STAR) Labs disclosed a SmartLoader campaign that distributes a trojanized Oura Model Context Protocol (MCP) server to deploy the StealC infostealer. Attackers built a deceptive network of fake GitHub accounts and forks, added sham contributors, and submitted the malicious server to the MCP Market to exploit developer trust. The delivered ZIP runs an obfuscated Lua script that drops SmartLoader, which then installs StealC to exfiltrate credentials, browser passwords, and cryptocurrency wallet data. Organizations should inventory MCP servers, verify provenance before installation, and monitor for suspicious egress and persistence.

⚠️ LayerX Security published a report describing a critical zero-click RCE in Anthropic’s Claude Desktop Extensions (DXT) that can let a malicious Google Calendar invite trigger arbitrary local code execution when MCP connectors run with full system privileges. The researchers say DXT runs unsandboxed and can autonomously chain low-risk services to high-risk local executors without user consent. Anthropic says users explicitly grant MCP permissions and must configure the tool carefully, while security experts call the issue architectural and urge stricter deployment controls and sandboxing.

⚠️LayerX disclosed a critical zero-click vulnerability affecting 50 Claude Desktop Extensions (DXT) that can result in remote code execution from a single crafted Google Calendar event. The flaw is possible because DXTs operate as unsandboxed MCP servers with full host privileges, allowing them to read files, run system commands and access credentials. LayerX rated the issue CVSS 10.0 and warned it could affect over 10,000 active users. Anthropic has declined to remediate, saying the scenario falls outside its current threat model.

⚠️ Noma Labs disclosed a critical vulnerability, dubbed DockerDash, in Docker's Ask Gordon AI assistant that allows unverified image metadata to be treated as executable instructions. The flaw exploits a trust failure in the Model Context Protocol (MCP) gateway: Ask Gordon reads Docker LABEL metadata, forwards the interpreted content to MCP, and MCP tools execute it without validation. Depending on deployment this can enable remote code execution (cloud/CLI) or large-scale data exfiltration and reconnaissance in Docker Desktop. Docker issued mitigations in Docker Desktop 4.50.0 and users are urged to upgrade.

🔓 Researchers at Israel-based Cyata disclosed three vulnerabilities in Anthropic's official mcp-server-git that enable prompt-injection attacks to influence MCP tool calls and perform unapproved actions. The flaws affect versions prior to 2025.12.18 and are tracked as CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145; together they allow arbitrary git flags, path tampering, file overwrite/deletion, and abuse of git smudge/clean filters to execute code. Cyata and interviewed experts urge an immediate update to the patched release and recommend auditing MCP deployments, restricting Git + Filesystem combinations, applying least-privilege, sanitizing inputs, and adding logging and retrospection for agent actions.

🔗 Google Cloud describes work to enable gRPC as a native transport for the Model Context Protocol (MCP), offering an alternative to JSON-RPC transcoding for organizations that already use gRPC. Native gRPC eliminates the need for transcoding gateways and preserves existing tooling, while delivering lower latency, smaller Protobuf-encoded payloads, and full-duplex streaming. The MCP core maintainers agreed to pluggable transports in the SDK, and Google Cloud will contribute a community-backed gRPC transport package to promote consistent, interoperable deployments.

🔒 This webinar explains why MCPs — the control plane that governs what agentic AI can execute — are a critical but often overlooked security boundary. Drawing on recent incidents such as CVE-2025-6514, the session shows how trusted proxies and misconfigurations can convert automation into a remote code execution vector at scale. Participants will learn to detect shadow API keys, audit agent actions, and apply practical controls to secure agentic AI without slowing development.

🔌 Google Cloud has integrated the Model Context Protocol (MCP) into Antigravity, its new AI-first IDE, enabling LLM-based agents to access enterprise data services directly within the development workflow. The Antigravity MCP Store lets developers install connectors for AlloyDB, BigQuery, Spanner, Cloud SQL, Looker and other Data Cloud products, configuring projects, regions, and credentials through a guided UI. Once connected, agents receive executable tools for schema exploration, query development, optimization, forecasting, catalog search, and semantic validation, while credentials are stored securely and MCP standardizes access across services.

🔒 Model Context Protocol (MCP) is increasingly used to connect AI agents with enterprise data sources, but real-world incidents at SaaS vendors have exposed practical weaknesses. The article describes what MCP security solutions should provide — discovery, runtime protection, strong authentication and comprehensive logging — and surveys offerings from hyperscalers, platform providers and startups. It stresses least-privilege and Zero Trust as core defenses.

🔒 This Unit 42 investigation (published December 5, 2025) analyzes security risks introduced by the Model Context Protocol (MCP) sampling feature in a popular coding copilot. The authors demonstrate three proof-of-concept attacks—resource theft, conversation hijacking, and covert tool invocation—showing how malicious MCP servers can inject hidden prompts and trigger unobserved model completions. The report evaluates detection techniques and recommends layered mitigations, including request sanitization, response filtering, and strict access controls to protect LLM integrations.

🔐 This post from Adrien Delaroche at Google Cloud outlines three architectures for AI agents that interact with blockchains: the agent-controlled custodial model, a self-hosted variant, and the non-custodial transaction-crafter model. It explains security, performance, and malice risks when agents hold private keys and recommends returning unsigned transactions so users sign locally. The author demonstrates a sample implementation using Google ADK, Gemini 2.0 Flash, Cloud Run, and an Ethereum faucet, and urges MCP servers to support both signing and unsigned flows to balance automation with user safety.

⚠️Researchers from CheckPoint disclosed a critical remote code execution vulnerability in OpenAI's Codex CLI that allowed project-local .env files to redirect the CODEX_HOME environment variable and load attacker-controlled MCP servers. By adding a malicious mcp_servers entry in a repo-local .codex/config.toml, an attacker with commit or PR access could cause Codex to execute commands silently whenever a developer runs the tool. OpenAI addressed the issue in Codex CLI v0.23.0 by blocking project-local redirection of CODEX_HOME, but the flaw demonstrates how automated LLM-powered developer tools can expand the attack surface and enable persistent supply-chain backdoors.

🤖 Amazon API Gateway now supports the Model Context Protocol (MCP) via a proxy, enabling organizations to expose existing REST APIs to AI agents and MCP clients without modifying their applications. Integrated with Amazon Bedrock AgentCore's Gateway, the feature performs protocol translation, indexes APIs for semantic tool discovery, and eliminates the need to host additional intermediary infrastructure. It also enforces dual authentication to verify agent identities for inbound requests while managing secure outbound connections to REST endpoints. The capability is available in nine AWS Regions and follows Amazon Bedrock AgentCore pricing.

⚠️ Security firm SquareX disclosed a previously undocumented MCP API inside the AI browser Comet that enables embedded extensions to execute arbitrary commands and launch applications — capabilities mainstream browsers normally block. The API can be triggered covertly from pages such as perplexity.ai, creating an execution channel exploitable via compromised extensions, XSS, MITM, or phishing. SquareX highlights that the analytics and agentic extensions are hidden and cannot be uninstalled, leaving devices exposed by default.

⚠️ Security researchers demonstrated that a rogue Model Context Protocol (MCP) server can inject JavaScript into the built-in browser of Cursor, an AI-powered code editor, replacing pages with attacker-controlled content to harvest credentials. The injected code can run without URL changes and may access session cookies. Because Cursor is a Visual Studio Code fork without the same integrity checks, MCP servers inherit IDE privileges, enabling broader workstation compromise.

🔒 The Model Context Protocol (MCP) enables AI agents to connect to data sources, but early specifications lacked robust protections, leaving deployments exposed to prompt injection, token theft, and tool poisoning. Recent protocol updates — including OAuth, third‑party identity provider support, and an official MCP registry — plus vendor tooling from hyperscalers and startups have improved defenses. Still, authentication remains optional and gaps persist, so organizations should apply zero trust and least‑privilege controls, enforce strong secrets management and logging, and consider specialist MCP security solutions before production rollout.