Security research, ecosystem analysis, and infrastructure insights from the MCP protocol landscape.
In January 2026, 341 malicious skills infiltrated OpenClaw's official registry. The MCP ecosystem faces the same structural vulnerability — and scanning alone won't fix it.
Unit 42's MCPTox benchmark found 72.8% attack success on o1-mini. More capable models are more vulnerable to MCP sampling injection because the attack exploits instruction-following. You cannot model-upgrade your way out of this.
Three independent teams scanned 14,000+ MCP servers in 30 days. All found the same vulnerabilities. All ended with the same recommendation. None of them could enforce it.
SEP-2577 proposes removing three core MCP features simultaneously. The protocol is scope-reducing to become a lean stateless tool-calling layer. Here is what builders need to know.
A new class of MCP attack turns tool responses into a billing amplifier. A session that should cost $0.10 costs $65.80. The schema is clean, the task completes, and 97% of standard defenses never notice.
Three independent teams arrived at the same conclusion this week: multi-agent systems fail silently because nobody instruments delegation, escalation, or reputation. Here are the practical instrumentation points.
MCP sampling lets servers request LLM completions through the client. Unit42 research shows how this legitimate spec feature enables prompt injection, cross-server poisoning, privilege escalation, and data exfiltration.
MCP went from zero CVEs to nine in a single quarter. A data-driven breakdown of every vulnerability, the three recurring patterns behind them, and what the ecosystem should do next.
A study of 5,200+ MCP servers found 88% require credentials, 53% use static API keys, and only 8.5% use OAuth. Six RSAC vendors announced MCP governance — none fix these numbers. The gateway layer does.
Quarantine catches obvious malware. Docker contains filesystem access. But an approved, isolated MCP server with outbound network access can silently POST every tool call payload to an attacker. Here is what to do about it.
LiteLLM v1.82.7 was compromised via a poisoned GitHub Action. The .pth malware fires on every Python startup, stealing SSH keys, cloud creds, and API keys. Many MCP servers pull LiteLLM as a transitive dependency.
In 72 hours: Microsoft AutoGen retired, GitHub launched Squad, Block's Goose pivoted to multi-agent. Three independent signals, same conclusion: the single-agent architecture is done.
Microsoft, CyberArk, and Okta frame AI agent security through identity. But identity alone does not prevent tool poisoning or parameter manipulation. The MCP gateway layer is the missing half.
March 2026 saw $430M+ invested in AI agent security across 5 major rounds. Combined with 30 CVEs, 9 documented MCP breaches, and 1,184 malicious skills, the market signal is unmistakable.
Three radically different permission models for MCP emerged this month: Unix-style rwxd, DIFC labels, and scope-per-service. The winner will define how enterprises govern AI agent tool access.
The first high-profile MCP CVE (CVSS 8.8) in Azure's MCP Server plus Token Security's MCPwned RSAC presentation show why every MCP deployment needs a gateway layer that inspects tool calls before they reach upstream servers.
Security Boulevard argues gateways are a bad idea for MCP. They are half right. The best architecture uses both gateways for perimeter defense and hooks for runtime context. Here is how they fit together.
In five days, three companies launched dedicated MCP security products. Combined with OWASP MCP Top 10 and CoSAI's threat taxonomy, MCP security has transitioned from research concern to funded enterprise market.
MCP security has moved from theoretical risks to documented exploits. ContextCrush, Unit42 sampling attacks, and cross-agent escalation prove the attack surface is real. Here is how gateway-level interception stops them.
MCP servers are scattered across GitHub repos, awesome-lists, and third-party directories. The Official MCP Registry changes that. Here's why registries matter, how the ecosystem fits together, and how to set up automatic publishing from your CI pipeline.
SynapBus is a single Go binary that gives your AI agent swarm Slack-like messaging, semantic search, and MCP connectivity. Deploy it with Docker or Kubernetes, expose it via Cloudflare Tunnel, and connect your first agents -- total cost: $0.
Google's Agent-to-Agent protocol just hit v1.0 under the Linux Foundation. Here is how A2A and MCP work together to enable the next generation of AI agent architectures.
The OWASP MCP Top 10 maps the most critical security risks in AI agent tool integration — from tool poisoning to context poisoning. Here is what practitioners need to know.
The MCP security landscape has evolved through three waves: protocol scanning, traffic proxying, and OS-level sandboxing. Here's the full map of projects and where the frontier is heading.
The MCP spec includes five tool annotation fields that tell agents whether tools are read-only, destructive, or open-world. Most servers don't use them. Here's why that needs to change.
NIST's draft concept paper lists MCP as one of five standards under evaluation for agentic AI authentication. What this means for MCP's legitimacy and enterprise adoption.
Google quietly removed MCP from its Workspace CLI after tool definitions ballooned context windows to 100K tokens. The tool discovery problem is MCP's biggest scaling barrier.
MCP's authentication model has a fundamental gap: servers cannot verify whether an agent was authorized to use the credentials it presents. Here's why this matters and what's being done about it.
A detailed breakdown of the Clinejection attack chain that compromised the Cline VS Code extension in January 2026, and what it reveals about trust boundary gaps in MCP composition.
A comprehensive look at the security landscape of the Model Context Protocol ecosystem - from tool poisoning attacks to emerging defenses.