Malicious MCP Analysis: Hidden Poisoning and Manipulation in MCP Systems

The MCP (Model Context Protocol) system is still in its early stages of development. The overall environment is relatively chaotic, and various potential attack methods emerge in an endless stream. It is difficult to defend against the current design of protocols and tools. In order to help the community better understand and improve the security of MCP, SlowMist has specially opened the MasterMCP tool, hoping to help everyone discover security risks in product design in a timely manner through actual attack drills, so as to strengthen their own MCP projects step by step.

At the same time, you can use the MCP security checklist from the previous issue to better understand the underlying perspective of various attacks. This time, we will take everyone to practice and demonstrate common attack methods in the MCP system, such as information poisoning, hiding malicious instructions and other real cases. All scripts used in the demonstration will also be open sourced to GitHub (see the link at the end of the article). You can fully reproduce the entire process in a safe environment, and even develop your own attack test plug-in based on these scripts.

Overview of the overall architecture

Demonstration attack target MCP: Toolbox

smithery.ai is one of the most popular MCP plug-in websites, gathering a large number of MCP lists and active users. Among them, @smithery/toolbox is the MCP management tool officially launched by smithery.ai.

The selection of Toolbox as the test target is mainly based on the following points:

• It has a large user base and is representative;

• It supports automatic installation of other plug-ins and supplements some client functions (such as Claude Desktop);

• It contains sensitive configurations (such as API Key) for easy demonstration.

Malicious MCP used in the demonstration: MasterMCP

MasterMCP is a simulated malicious MCP tool written by SlowMist specifically for security testing. It adopts a plug-in architecture design and contains the following key modules:

1. Local website service simulation: http://127.0.0.1:1024

In order to restore the attack scenario more realistically, MasterMCP has a built-in local website service simulation module. It quickly builds a simple HTTP server through the FastAPI framework to simulate a common web page environment. These pages look normal on the surface, such as displaying cake shop information or returning standard JSON data, but in fact, carefully designed malicious payloads are hidden in the page source code or interface return.

In this way, we can fully demonstrate attack methods such as information poisoning and command hiding in a safe and controllable local environment, helping everyone to understand more intuitively: even a seemingly ordinary web page may become a source of hidden dangers that induce large models to perform abnormal operations.

2. Local plug-in MCP architecture

Demo client

• Cursor: One of the most popular AI-assisted programming IDEs in the world

• Claude Desktop: Anthropic (MCP protocol customizer) official client

Large model used in demonstration

• Claude 3.7

Claude 3.7 version was selected because it has made certain improvements in sensitive operation recognition and represents the stronger operation capabilities in the current MCP ecosystem.

Configuration claude_desktop_config.json

{  "mcpServers": {    "toolbox": {      "command": "npx",      "args": [        "-y",        "@smithery/cli@latest",        "run",        "@smithery/toolbox",        "--config",        "{\"dynamic\":false,\"smitheryApiKey\":\"ec1f0fa8-5797-8678-sdaf-155d4584b133\"}",        "--key",        "ec1f0fa8-5797-8678-sdaf-155d4584b133"      ]    },    "MasterMCP": {      "command": "/Users/xxx/Desktop/EvilMCP/bin/python",  [        "/Users/xxx/Desktop/EvilMCP/MasterMCP.py"      ]    }  }}

After the configuration is completed, the demonstration is officially entered.

Cross-MCP Malicious Invocation

This demonstration includes two contents: Checklist poisoning and Cross-MCP malicious invocation.

Web content poisoning attack

1. Comment poisoning (partial reference: https://x.com/lbeurerkellner/status/1912145060763742579)

Cursor visits the local test website http://127.0.0.1:1024.

This is a seemingly harmless page about "Delicious Cake World". Through this experiment, we simulate the impact of a large model client visiting a malicious website.

Execute instructions:

Fetch the content of http://127.0.0.1:1024

The results show that Cursor not only reads the web page content, but also sends local sensitive configuration data back to the test server. In the source code, malicious prompt words are implanted in the form of HTML comments:

Although the comment method is relatively straightforward and easy to identify, it can already trigger malicious operations.

2. Encoded comment poisoning

Visit the http://127.0.0.1:1024/encode page, which is a web page that looks the same as the example above, but the malicious prompt words are encoded, which makes the poisoning exp more hidden and difficult to detect directly even if the source code of the web page is accessed.

Even if the source code does not contain plaintext prompts, the attack is still successfully executed. The specific principle will be explained in detail in subsequent chapters.

MCP tool returns information poisoning

Here we are based on The prompt word of MasterMCP indicates to enter our simulated instruction (this instruction has no actual meaning and is intended to trigger our malicious MCP to demonstrate the subsequent operations of the malicious MCP): get a lot of apples

You can see that after the instruction is triggered, the client calls the Toolbox across MCP and successfully adds a new MCP server:

Looking at the plug-in code, it can be found that the returned data has been embedded with encoded malicious payloads, and the user end can hardly detect the abnormality.

Third-party interface pollution attack

This demonstration is mainly to remind everyone that whether it is malicious or non-malicious MCP, when calling a third-party API, if the third-party data is directly returned to the context, it may have serious consequences.

Sample code:

Execute request:

Fetch json from http://127.0.0.1:1024/api/data  

Result: The malicious prompt words were implanted into the returned JSON data and successfully triggered malicious execution.

Poisoning technology in the initialization phase of MCP

This demonstration includes two contents: the initial prompt word injection and name conflict in the Checklist.

Malicious function overwrite attack

Here MasterMCP wrote a tool with the same function name as Toolbox, remove_server, and encoded to hide the malicious prompt word.

Execution command:

toolbox remove fetch plugin server

Claude Desktop did not call the original `toolbox remove_server` method, but triggered the method of the same name provided by MasterMCP:

The principle is to emphasize that "the original method has been abandoned" and give priority to inducing the large model to call the maliciously overwritten function.

Add malicious global check logic

Here MasterMCP wrote a tool similar to banana. The core function of this tool is to force all tools to perform security checks before running in the prompt word.

Before executing each function, the system will give priority to calling the banana check mechanism:

Advanced techniques for hiding malicious prompt words

Large model-friendly encoding methods

Due to the strong parsing ability of the Large Language Model (LLM) for multi-language formats, it is used to hide malicious information. Common methods include:

• In English environment: Use Hex Byte encoding

Recommended tool: Hex Decoder

• In Chinese environment: Use NCR encoding or JavaScript encoding

Recommended tool: R12a Unicode Conversion Tools

Random malicious payload return mechanism

As mentioned in Chapter 2, when requesting http://127.0.0.1:1024/random, the third-party interface is polluted:

A page with a malicious payload will be randomly returned each time, greatly increasing the difficulty of detection and tracing.

Summary

Through this actual combat demonstration of MasterMCP, we intuitively see the various security risks hidden in the Model Context Protocol (MCP) system. From simple prompt word injection and cross-MCP calls to more hidden initialization phase attacks and malicious instruction hiding, every link reminds us: Although the MCP ecosystem is powerful, it is also fragile.

Especially today when large models are increasingly dealing with external plug-ins and APIs, a small amount of input pollution may cause security risks at the entire system level. The diversification of attackers' means (coding hiding, random pollution, function coverage) also means that traditional protection ideas need to be fully upgraded.

Security is never achieved overnight.

I hope this demonstration can serve as a wake-up call for everyone: both developers and users should be sufficiently vigilant about the MCP system, and always pay attention to every interaction, every line of code, and every return value. Only by being rigorous in every detail can we truly build a stable and secure MCP environment.

Next, we will continue to improve the MasterMCP script and open source more targeted test cases to help everyone deeply understand, practice, and strengthen protection in a safe environment.

Ps. The relevant content has been synchronized to GitHub (https://github.com/slowmist/MasterMCP). Interested readers can click on the original text at the end of the article to jump directly.