Threat Brief

Security research on the
MCP ecosystem, published weekly.

Real findings. Reproducible methodology. Every brief includes the rule that caught the pattern, the package that triggered it, and — where responsible disclosure permits — the full reproduction steps.

Published every Friday. No paywalls. Cross-post encouraged.

April 18, 2026 · 8 min read

Tool poisoning at install time: how malicious MCP servers hijack your agent's context window

Seven public npm packages use tool description fields to inject silent system prompt exfiltration. Here's the pattern and how to detect it.

Prompt injectionSupply chainCWE-93·Read

April 11, 2026 · 6 min read

Lookalike servers: typosquat patterns emerging in the MCP package namespace

mcp-filesystem vs @modelcontextprotocol/server-filesystem. We found 23 packages designed to be confused with legitimate ones.

TyposquattingSupply chain·Read

April 4, 2026 · 5 min read

Excessive permissions: 61% of filesystem servers claim write access to /

The MCP spec lets servers self-declare their permission scope. Nobody audits it. We audited it.

PermissionsFilesystem·Read

March 28, 2026 · 9 min read

Dependency confusion in PyPI MCP packages: three live PoC packages

Private internal package names leaking into public MCP server dependencies. We found — and responsibly disclosed — three exploitable cases.

Dependency confusionPyPICWE-1357·Read

March 21, 2026 · 7 min read

Silent network calls: MCP servers that phone home with your tool invocations

12 packages make undocumented HTTP requests to third-party endpoints during normal operation. No disclosure. No opt-out.

Data exfiltrationCWE-200·Read

Get new briefs by email

One email per Friday. Unsubscribe anytime. No marketing.