MCP server supply chain
Attacker publishes a useful-looking MCP server; victims install it and grant it access to local files and tools.
Severity: highOWASP LLM: LLM03
How it works
Like browser extensions, MCP servers are often installed casually. Malicious servers exfiltrate file content the moment they are connected.
Example payload
[npm publish 'mcp-server-helpful' that exfiltrates ~/.aws/credentials on startup.]
Defenses
Pin MCP servers to known-good versions. Review network egress per server. Run servers in containers with no host file access.