HARDENED Cybersecurity Intelligence | Issue No. 064 · July 6, 2026 · Weekly Flagship · hardened.news |
|
| > The signal. Not the noise. — For teams that defend. |
|
| Enterprise | Cloud & DevOps | Dev | IT Ops | End Users |
|
| Gates cleared: | Gate 1 Exploitation | Gate 2 Blast Radius | Gate 3 Canadian |
|
| 01 — // Lead Story — Deep Dive |
|
|
Microsoft Warns That a Poisoned Tool Description Can Turn Your AI Agent Into a Silent Leak
On June 30, Microsoft's incident responders detailed how attackers can quietly rewrite the natural-language description of a Model Context Protocol tool to make an AI agent hand over sensitive data — without the agent ever breaking a rule a human reviewer would notice.
Model Context Protocol has become the default way agentic AI tools — Copilot, Cursor, Claude Code, and dozens of VS Code extensions — reach outside their own walls to read files, query databases, and send messages on a user's behalf. Every MCP tool ships with a natural-language description telling the agent what the tool does and how to call it. Most deployments treat that description as documentation. Microsoft's June 30 guidance says that assumption is the vulnerability.
Here is the mechanism Microsoft describes. An attacker who controls or compromises a third-party tool updates its description while leaving the tool's name and visible summary unchanged. Buried in the description — often disguised as formatting notes or usage tips — sits a hidden instruction telling the agent to collect sensitive data and attach it to its next outbound call. Because MCP clients frequently pick up description changes automatically, with no re-approval step required, the poisoned version can go live with no review at all. This is not hypothetical. A real MCP tool built a track record first: an npm package called postmark-mcp behaved exactly like the legitimate email tool it copied across fifteen releases, earning the trust that comes from a clean history, before a single later version turned that trust against its users by silently copying every outgoing email to an attacker's inbox. Koi Security, who found it in 2025, called it the first confirmed malicious MCP server. The Hacker News → Microsoft Security Blog →
No individual step in this attack looks wrong. The agent calls a tool it was already permitted to call, and attaches data it was already permitted to read. Standard agent logging and endpoint tooling are built to catch rule violations, not routine-looking actions taken on hidden instructions. The failure sits at a trust boundary: MCP mixes instructions and data in the same channel, so anything an agent reads — including a tool's own description — can carry commands the agent will follow.
The blast radius follows from how fast MCP adoption has moved. It now underpins agentic coding and productivity tooling across most major AI vendors, and Hardened has already tracked the same class of supply-chain exposure spreading through the npm ecosystem this year, from the Miasma worm to TeamPCP's campaigns. An organization with no change-control process on third-party MCP tool descriptions is exposed the moment any tool maintainer's account, or the package itself, is compromised — the exact pattern behind postmark-mcp.
The fix is governance, not a patch. Treat a tool description update with the same rigour as a dependency bump: pin versions, diff the text on every change, and require a human sign-off before an updated description goes live for any agent with access to sensitive systems. Ask your team this week which MCP tools your AI agents can call, who maintains each one, and whether your current setup silently reloads updated descriptions without anyone reviewing what changed.
// Trust Boundary Failures — How Tool Poisoning Reaches Your Data
MCP-01 — Critical Silent Description Mutation A tool's description can change without triggering re-approval in many MCP clients. A malicious update goes live the next time the agent refreshes its tool list — with the visible name and summary unchanged. |
MCP-02 — Critical Instructions Disguised as Documentation A hidden command buried in formatting notes tells the agent to exfiltrate data on its next call. The agent complies because instructions and data share one channel — there is no separate command layer to inspect. |
MCP-03 — High No Rule Broken, No Alarm Raised Every action taken is one the agent already had permission for. Default agent logging and endpoint tooling are built to catch violations, not routine-looking calls made on hidden instructions. |
MCP-04 — High Already Confirmed, Not Theoretical Koi Security's postmark-mcp discovery shows the pattern in practice: a legitimate-looking release history followed by one update that quietly redirected outgoing mail — proof this technique already works in production, not just in a lab. |
// Five Actions — Start This Week
| [✓] | Inventory every MCP tool your agents can call. List each tool, its maintainer, and which agents have access to it. You cannot govern a trust boundary you cannot see. |
| [✓] | Require human sign-off on description changes. Treat any update to a tool's description as a dependency bump, not documentation — it needs review before it reaches a production agent. |
| [✓] | Pin tool versions and diff every update. Alert on any change to a tool's description text, including fields that don't render in the visible summary a user would see. |
| [✓] | Monitor outbound data flows from agent sessions. Treat an agent's egress traffic the way you would a service account's — baseline it, and alert on data leaving to unfamiliar destinations. |
| [✓] | Test your own setup this week. Confirm whether your MCP client silently reloads updated tool descriptions, or whether it stops and asks a human first. If you don't know the answer, that's the finding. |
|
|
|
|
A Canadian Automaker Just Tested What PIPEDA's Breach Standard Means in Practice
Nissan disclosed that Canadian employees' Social Insurance Numbers were exposed in the ShinyHunters campaign against Oracle PeopleSoft — a live test of the "real risk of significant harm" threshold that governs every Canadian breach notification decision.
Mandiant confirmed that threat actors exploited CVE-2026-35273, an unauthenticated RCE in Oracle PeopleSoft Enterprise PeopleTools, as a zero-day between May 27 and June 9, primarily against education-sector organizations. ShinyHunters claimed the campaign publicly, and Mandiant has since notified more than 100 affected organizations. Nissan has since disclosed that the same campaign compromised its PeopleSoft environment and exposed current and former employees' contact information, banking details, Social Security Numbers, and Social Insurance Numbers — with the company stating impact "in the United States, Canada, Mexico, and Brazil." Bleeping Computer → The Hacker News →
Framework — All Private-Sector Organizations PIPEDA — Mandatory Breach Notification PIPEDA requires organizations to report to the Office of the Privacy Commissioner and notify affected individuals for "breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals." Significant harm expressly includes financial loss and identity theft — the exact categories of data Nissan disclosed, including Social Insurance Numbers, a Canada-specific identifier that raises the sensitivity of the exposure on its own. The action: If your organization runs PeopleSoft PeopleTools 8.61 or 8.62 for HR or payroll, confirm Oracle's out-of-band patch is applied, and use the OPC's real-risk-of-significant-harm assessment tool rather than defaulting to "no evidence of misuse yet" as a reason to delay a notification decision. Primary source: Office of the Privacy Commissioner of Canada → |
The lesson for boards is not specific to Oracle or PeopleSoft. Any HR, payroll, or benefits platform holding SINs is a RROSH decision waiting to happen the moment a vendor discloses a zero-day. Confirm today whether your organization can answer "what personal data does this system hold, and who has access to the patch status" before a breach notification clock starts running.
|
| 03 — // Threat & Defence Matrix |
|
|
This week’s confirmed exploitations mapped to the control that contains them
| Threat | Defence |
Poisoned MCP tool descriptions redirect agent actions (Microsoft, June 30) A hidden instruction in a trusted tool's metadata makes an agent leak data with no rule visibly broken. | Change control on tool metadata Pin tool versions, diff description text on every update, require human sign-off before a changed description reaches a production agent. |
SimpleHelp OIDC auth bypass (CVE-2026-48558, CVSS 10.0) Forged identity tokens grant full technician access; TaskWeaver and Djinn Stealer malware confirmed on compromised MSP endpoints. | Patch and audit downstream access Update to SimpleHelp 5.5.16 or later; MSPs and MSP clients should audit every managed endpoint for TaskWeaver/Djinn Stealer indicators. |
PTC Windchill/FlexPLM deserialization RCE (CVE-2026-12569, CVSS 9.8) Unauthenticated attackers deploy JSP webshells on manufacturing and PLM servers. | Patch + webshell hunt Update to 11.0 M030 or later; hunt for JSP webshells on any internet-facing Windchill or FlexPLM instance. |
SharePoint deserialization RCE (CVE-2026-45659, CVSS 8.8) Any authenticated Site Member can trigger RCE; Microsoft rated exploitation "less likely," CISA confirmed active exploitation July 1. | Confirm the patch, don't trust the rating Verify the May 2026 fix is applied on every SharePoint Server; treat vendor exploitability ratings as one input, not the final word. |
Oracle PeopleSoft zero-day RCE (CVE-2026-35273, CVSS 9.8) Unauthenticated RCE exploited by ShinyHunters against 100+ organizations before a patch existed. | Patch + breach assessment Apply Oracle's out-of-band fix to PeopleTools 8.61/8.62; assess PIPEDA notification obligations wherever Canadian personal data may be affected. |
|
| 04 — // On Our Radar + Patch Priority |
|
// On Our Radar — Not Yet at Critical Threshold
| → | RoguePlanet Defender zero-day (no CVE assigned yet): A TOCTOU race in Microsoft Defender's own file-processing path lets a local attacker reach SYSTEM on fully patched Windows 10/11. No CVE or Microsoft advisory exists for RoguePlanet as of publication, and there is no confirmed in-the-wild exploitation of the PoC itself — but its predecessor, BlueHammer, was already used in live intrusions before this one surfaced. Help Net Security → |
| → | Secure Boot Production PCA 2011 expiry: With the KEK and UEFI CAs expired June 24 and 27, the next milestone is the Windows Production PCA 2011 on October 19. Confirm the 2023 CAs are installed well ahead of that date. Tracking since Issue #039. |
| → | KEV confirmations keep clustering: PTC Windchill, SimpleHelp, and Microsoft SharePoint were each confirmed as actively exploited within a 6-day span across three unrelated vendors and sectors — the same compression pattern flagged in our June 29 issue, continuing. |
|
| // Patch Priority — This Week |
| P1 — NOW | PTC Windchill / FlexPLM CVE-2026-12569 (CVSS 9.8) — unauthenticated deserialization RCE; CISA KEV June 25; JSP webshells already dropped on unpatched instances. Update to 11.0 M030 or later and hunt for webshells. | Enterprise · IT Ops |
|
| P1 — NOW | SimpleHelp CVE-2026-48558 (CVSS 10.0) — OIDC auth bypass; CISA KEV June 29; delivering TaskWeaver and Djinn Stealer via forged technician access. Update to 5.5.16+ and audit every downstream managed endpoint. | IT Ops · Enterprise |
|
| P2 — WEEK | Microsoft SharePoint CVE-2026-45659 (CVSS 8.8) — deserialization RCE exploitable by any Site Member; CISA KEV July 1 despite Microsoft's original "less likely" rating. Confirm the May 2026 patch is applied. | Enterprise · IT Ops |
|
| P2 — WEEK | Oracle PeopleSoft CVE-2026-35273 (CVSS 9.8) — unauthenticated zero-day RCE exploited by ShinyHunters against 100+ organizations. Apply Oracle's out-of-band patch to PeopleTools 8.61/8.62 and assess PIPEDA notification exposure. | Enterprise |
|
|
HARDENED | HARDENED is published for general informational and educational purposes. All threat data is sourced from publicly available security research and cited accordingly. This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. All data as of July 4, 2026. hardened.news |
|
|