Security · 2h ago
Tool poisoning attack evades code review in MCP ecosystem
A new attack class called tool poisoning hides malicious instructions in MCP server metadata using zero-width Unicode characters, bypassing human code review. Over 14,000 public MCP servers exist, with 43% of recent CVEs involving command injection. A static scanner called mcpscan has been released to detect these invisible payloads before installation.
Meridian48 take
The attack exploits a fundamental blind spot in AI supply chain security: LLMs treat tool descriptions as instructions, not just metadata.
mcp-securitytool-poisoning