Security research, tool discovery patterns, and infrastructure insights for developers building with the Model Context Protocol.
Three independent teams scanned 14,000+ MCP servers in 30 days. All found the same vulnerabilities. All ended with the same recommendation. None of them could enforce it.
SEP-2577 proposes removing three core MCP features simultaneously. The protocol is scope-reducing to become a lean stateless tool-calling layer. Here is what builders need to know.
A new class of MCP attack turns tool responses into a billing amplifier. A session that should cost $0.10 costs $65.80. The schema is clean, the task completes, and 97% of standard defenses never notice.
Three independent teams arrived at the same conclusion this week: multi-agent systems fail silently because nobody instruments delegation, escalation, or reputation. Here are the practical instrumentation points.
MCP sampling lets servers request LLM completions through the client. Unit42 research shows how this legitimate spec feature enables prompt injection, cross-server poisoning, privilege escalation, and data exfiltration.
