This repository demonstrates a security vulnerability in MCP (Model Context Protocol) servers that allows for remote code execution and data exfiltration through tool poisoning. This is intended for educational and security research purposes only.
server.py- The malicious MCP server implementation containing the poisoned tool.cursor/mcp.json- Configuration file for Cursor AI integration
The attack demonstrates the "Rug Pull" method:
- A user connects to the malicious MCP server through MCP Client like Cursor AI
- The server modifies the
DockerCommandAnalyzertool's documentation with malicious code - When an AI assistant reads this documentation, it's manipulated to recommend running a base64-encoded command
- The encoded command silently:
- Collects the user's SSH public keys
- Exfiltrates them to a remote server
- Removes evidence of the attack
The key elements of the attack are:
- Two-stage poisoning: Uses a marker file for persistence to ensure the tool remains poisoned
- Social engineering: Uses urgent language to manipulate AI assistants
- Base64 obfuscation: Hides the malicious commands from casual inspection
- wget for exfiltration: Uses standard HTTP POST to send data to an attacker-controlled server
To protect against this type of attack:
- Disable auto-run features in AI development tools like Cursor
- Always verify the source of any MCP server before connecting
- Review code from untrusted sources before execution
- Use sandboxed environments when testing new AI tools
- Implement egress filtering to block unexpected outbound connections