Kaspersky has found that Model Context Protocol (MCP) could be weaponised by cybercriminals as a supply chain attack vector, potentially leading to harmful impacts, including, but not limited to the leakage of password, credit card, cryptowallet and other types of data.
In new research, Kaspersky experts show the concept of an attack and share mitigation measures for businesses who integrate AI tools into their workflows.
Open-sourced by Anthropic in 2024, the Model Context Protocol (MCP) is a standard that gives AI systems, especially LLM-based apps, a consistent way to connect to external tools and services. For instance, organisations may use it to let LLMs search and update documents, manage code repositories and APIs, or access CRM, financial, and cloud data.
Like any open-source tool, MCP can be abused by cybercriminals. In their new research, Kaspersky Emergency Response Team experts built a proof-of-concept that simulates how attackers might abuse an MCP server. This was to demonstrate how the supply chain attacks can unfold through the protocol and to showcase the potential harm that might come from running such tools without proper auditing.
Performing a controlled security lab test, they simulated a developer workstation with a rogue MCP server installed, ultimately harvesting such sensitive data types as:
- Browser passwords
- Credit card data
- Cryptocurrency wallet files
- API tokens and certificates
- Cloud configurations and more
During the simulated attack a “victim” only sees the legitimate output. Kaspersky has not yet observed this vector in real life and warns that the vector may be used by cybercriminals not only to extract sensitive data, but also to cause other harmful impacts such as executing malicious code, installing backdoors and deploying ransomware, etc.
In the research, Kaspersky used Cursor as the AI example client to connect with the weaponised MCP server, though the same attack concept may be applied to other LLMs as well. Cursor and Anthropic have been notified of the research outcomes.
“Supply chain attacks remain one of the most pressing threats in the cybersecurity space, and the potential weaponisation of MCP we demonstrated follows this trend,” says Mohamed Ghobashy, incident response specialist in the Kaspersky Global Emergency Response Team. “With the current hype around AI and the race to integrate these tools into workflows, businesses may lower their guard and, by adopting a seemingly legitimate but unproven custom MCP, perhaps posted on Reddit or similar platforms, end up suffering a data leak.
“This underscores the importance of a strong security posture. In our new white paper, we share the technical details of this potential attack vector along with measures to help avoid falling victim.”