← Back to Blog

6 Real MCP Security Breaches That Prove Your AI Tools Need Auditing

By Joerg Michno · March 19, 2026 · 5 min read

The Model Context Protocol has exploded in popularity with 79,000+ GitHub stars and adoption by every major AI platform. But with rapid growth comes a growing attack surface. These 6 documented breaches show why MCP security scanning is no longer optional.

April 2025
1. WhatsApp MCP: Chat History Exfiltrated

A tool poisoning attack embedded a sleeper backdoor in a WhatsApp MCP server. The malicious code hid in tool metadata that appeared legitimate. Every chat message was silently forwarded to attackers.

Lesson: Tool descriptions can contain hidden instructions that bypass user awareness. Always scan tool metadata before connecting.

May 2025
2. GitHub MCP: Financial Data in Public PRs

Attackers injected prompts through public GitHub Issues. The MCP-connected AI agent processed these as legitimate instructions and leaked private repository data including financial information into public pull requests.

Lesson: Cross-origin prompt injection through public data sources is real. MCP servers that ingest untrusted input need strict output filtering.

June 2025
3. Asana MCP: Cross-Tenant Data Access

A broken access control flaw in an Asana MCP integration allowed reading project data from other organizations. No sophisticated exploit needed, just a misconfigured permission scope that the MCP layer failed to validate.

Lesson: MCP integrations inherit the security flaws of their underlying APIs. Permission boundaries must be verified at every layer.

September 2025
4. Postmark MCP: Email Supply Chain Attack

A compromised dependency in a Postmark MCP server silently redirected business emails to attacker-controlled servers. The supply chain attack went undetected for weeks because nobody audited the dependency tree.

Lesson: MCP server dependencies are a new supply chain attack vector. Treat them with the same scrutiny as npm or PyPI packages.

October 2025
5. Smithery Registry: Docker Credentials Leaked

A path traversal vulnerability in the largest MCP server registry exposed Docker credentials and API tokens. The registry itself became the weakest link in the chain.

Lesson: MCP registries and marketplaces need security auditing. Trust in a registry does not equal trust in what it serves.

March 2026
6. LLM-Powered Intrusions: AI as Attack Tool

Security researchers documented attackers using MCP to integrate LLMs directly into intrusion workflows, automating firewall analysis, credential extraction, and lateral movement. MCP is no longer just a target. It is becoming a weapon.

Lesson: Defensive MCP security scanning must evolve as fast as offensive techniques. Static rules alone are not enough.

Do Not Wait for Breach #7

ClawGuard Shield scans your MCP servers against 132 security patterns in 14 languages with EU AI Act compliance mapping that no other scanner provides.

Scan Your MCP Servers - Free