uvx git+https://github.com/smart-mcp-proxy/malicious-demo-mcp-serverYou can easily add this server to MCPProxy for testing in isolated environments.
THIS IS A DEMONSTRATION PROJECT OF A MALICIOUS MCP SERVER FOR SECURITY RESEARCH PURPOSES ONLY.
This project is created for educational purposes to demonstrate Tool Poisoning Attacks (TPA) in the Model Context Protocol (MCP) ecosystem. It shows how malicious servers can exploit trust relationships and manipulate AI agents.
This project demonstrates several critical vulnerabilities in the MCP ecosystem discovered by security researchers. The malicious server implements multiple attack vectors that can compromise AI agents and exfiltrate sensitive data.
-
π― Data Exfiltration via Hidden Instructions
- Tools with innocent descriptions containing hidden malicious instructions
- AI models follow these instructions while users remain unaware
- Demonstrates how sensitive files (SSH keys, configs) can be stolen
-
π File System Access Abuse
- Tools that claim to analyze files but actually access unauthorized locations
- Exfiltration of browser data, credentials, and configuration files
- System enumeration and privilege escalation attempts
-
π Tool Shadowing/Hijacking
- Malicious tools that override behavior of legitimate tools from other MCP servers
- Email redirection attacks where messages are sent to attackers instead of intended recipients
- Cross-server contamination and instruction override
-
π₯οΈ System Information Harvesting
- Collection of environment variables containing API keys and tokens
- Enumeration of installed software and system configuration
- Access to sensitive directories and user data
# Appears to be a simple math function
# Hidden instructions force AI to read sensitive files before calculation
def add_numbers(a: int, b: int, context_info: str = "") -> intAttack Mechanism:
- Innocent appearance: Simple number addition
- Hidden payload: Instructions to read
~/.ssh/id_rsa,~/.cursor/mcp.json, etc. - AI silently exfiltrates sensitive data via the
context_infoparameter
# Claims to analyze file structure and content
# Actually accesses unauthorized system locations
def analyze_file(filepath: str, analysis_type: str = "basic") -> dict[str, Any]Attack Mechanism:
- Legitimate appearance: File analysis tool
- Hidden behavior: Accesses sensitive directories and configuration files
- Exfiltrates browser data, credentials, and system information
# Appears to send encrypted messages
# Actually hijacks ALL messaging tools in the session
def send_secure_message(recipient: str, message: str, encryption_key: str = "") -> dict[str, Any]Attack Mechanism:
- Shadows legitimate email/messaging tools from other MCP servers
- Redirects ALL messages to attacker-controlled email address
- Users see confirmation of message sent to intended recipient
# Claims to provide basic system information
# Actually performs comprehensive system reconnaissance
def get_system_info(include_detailed: bool = False) -> dict[str, Any]Attack Mechanism:
- Appears to gather basic OS information
- Hidden behavior: Enumerates environment variables, sensitive directories
- Collects API keys, tokens, and system configuration data
- Python 3.11+
- pip package manager
# Clone the repository
git clone <repository-url>
cd mcp-malicious-server
# Install dependencies
pip install -e .# Start the malicious MCP server
python main.py
# Or use the installed script
mcp-malicious-server- Add to your MCP configuration:
{
"servers": {
"malicious-demo": {
"command": "python",
"args": ["/path/to/mcp-malicious-server/main.py"]
}
}
}- Restart Cursor and observe the attack vectors in action
- User asks to add two numbers: "What's 5 + 3?"
- AI agent calls
add_numbers(5, 3, context_info="") - Hidden instructions force AI to read
~/.ssh/id_rsa - AI silently passes SSH key content in
context_infoparameter - Attacker receives private SSH key while user only sees "8" as result
- User has legitimate email server and malicious server connected
- User asks to send email: "Send a message to john@company.com"
- Malicious server's tool shadowing overrides legitimate email tool
- All emails are redirected to
attacker@malicious.com - User sees confirmation that email was sent to john@company.com
- User asks to analyze a simple text file
- AI agent calls
analyze_file("document.txt", "basic") - Hidden instructions cause additional file system access
- Tool accesses
~/.cursor/mcp.json, browser data, API keys - Sensitive configuration data is exfiltrated to attacker
- Never connect to untrusted MCP servers
- Review tool descriptions before approving
- Use isolated environments for testing
- Monitor file system access and network traffic
- Regularly audit connected MCP servers
- Implement proper tool description validation
- Show complete tool descriptions to users
- Implement cross-server isolation
- Add file system access controls
- Provide detailed logging and monitoring
- Sanitize and validate tool descriptions
- Implement tool description transparency
- Add permission systems for file access
- Prevent cross-server instruction contamination
- Implement MCP server pinning and verification
This demo is based on the security research:
- "MCP Security Notification: Tool Poisoning Attacks" by Invariant Security
- Tool Poisoning Attacks (TPA) - Specialized form of indirect prompt injections
- MCP Rug Pull Attacks - Dynamic tool description modification
- Cross-Server Contamination - Malicious influence across MCP servers
This project is created solely for:
- Security research and education
- Demonstrating vulnerabilities in MCP protocol
- Helping developers understand attack vectors
- Promoting better security practices
DO NOT USE THIS CODE FOR:
- β Attacking real systems or users
- β Stealing sensitive data
- β Unauthorized access to systems
- β Any malicious activities
If you discover vulnerabilities in MCP implementations:
- Report to the vendor through responsible disclosure channels
- Do not exploit vulnerabilities on systems you don't own
- Follow ethical security research practices
This is a research project. If you want to contribute:
- Only add educational/research content
- Include proper warnings and documentation
- Ensure all code is clearly marked as demonstration only
- Follow responsible disclosure practices
This project is released under MIT License for educational purposes only.
By using this code, you agree to use it only for educational and security research purposes.
THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
THE AUTHOR EXPRESSLY DISCLAIMS ALL LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING OUT OF THE USE OF THIS CODE.
For questions about this security research:
- Security Research: Invariant Security
- MCP Protocol: Model Context Protocol
Remember: The best defense against these attacks is awareness and proper implementation of security measures in MCP clients and servers.