HARDENED Cybersecurity Intelligence | Issue No. 014 · April 6, 2026 · Weekly Flagship · hardened.news |
|
| > The signal. Not the noise. — For teams that defend. |
|
| Enterprise | Cloud+DevOps | IT Ops | Developers | End Users |
|
| Gates cleared: | Gate 1 Active Exploitation | Gate 2 Blast Radius | Gate 3 Canadian |
|
| 01 — // Lead Story — Deep Dive |
|
|
Your AI Agents Trust Every Tool Server They Connect To By Default. In March, That Trust Cost Nearly Fifty Thousand Developers Their Cloud Credentials.
On March 24, threat actor TeamPCP poisoned a security scanner in the LiteLLM CI/CD pipeline, obtained PyPI credentials, and pushed backdoored packages downloaded nearly 47,000 times in a 46-minute window. Every developer whose environment auto-installed the latest version via MCP server startup had their cloud credentials, SSH keys, and Kubernetes configurations exfiltrated. Issue No. 009 flagged the MCP registry governance gap as a slow burn. It stopped being slow-burn six days ago.
The Model Context Protocol is now the standard interface through which AI assistants — Claude Desktop, GitHub Copilot, Cursor, VS Code Copilot, and enterprise agents — connect to external tools and data sources. Anthropic published the spec in November 2024; by March 2026, the MCP SDK had reached 97 million monthly downloads and thousands of server packages were available across GitHub, PyPI, npm, and dedicated registries. MCP was designed for capability first. Security architecture came second, and in several places it has not arrived yet.
The architectural gap is concrete. In MCP’s original specification, authentication between client and server is optional. Tool definitions are not cryptographically signed. Server registries have no centralized vetting process. An AI agent connects to an MCP server, receives a list of tool descriptions, and acts on those descriptions without independent verification. For a protocol that routinely holds filesystem access, production API credentials, database query rights, and browser session data, that trust model is a significant liability.
The vulnerability data from early 2026 reflects the gap. AgentSeal scanned 1,808 publicly reachable MCP servers: 66% had at least one security finding, 43% were vulnerable to shell or command injection, 13% had authentication bypass conditions, and 10% had path traversal flaws. CVE-2025-6514 — command injection in the mcp-remote package used by Claude Desktop, VS Code, and Cursor — carried a CVSS of 9.6 and had been downloaded more than 437,000 times. Thirty CVEs were filed against MCP infrastructure in its first fifteen months of existence. OWASP published its first MCP Top 10.
The LiteLLM supply chain attack on March 24 — the same campaign this newsletter’s March 26 Quick Hit first reported as the Trivy CI/CD compromise — moved the threat from theoretical to confirmed. What that initial coverage could not yet reveal was the full MCP-specific delivery mechanism. Threat actor TeamPCP had compromised Trivy — an open-source container security scanner integrated into LiteLLM’s CI/CD pipeline — and used that access to obtain the LiteLLM maintainer’s PyPI publishing credentials. Backdoored versions 1.82.7 and 1.82.8 were live for approximately 46 minutes before PyPI quarantined them. In environments where LiteLLM was a dependency — including developer workstations using MCP servers through Cursor, which triggered automatic package updates on server startup — a malicious .pth file executed automatically on Python process startup, exfiltrating SSL certificates, SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes configurations, Git credentials, API keys, and shell history. Mercor confirmed it was affected (TechCrunch, March 31, 2026). LiteLLM ordinarily sees 3.4 million downloads per day; nearly 47,000 confirmed malicious downloads in a 46-minute window.
The supply chain attack is the most legible MCP attack class because it has a clear before-and-after. The others are more insidious. Tool poisoning places malicious instructions inside MCP tool description fields — text invisible to the human user but processed in full by the AI model. Invariant Labs demonstrated complete WhatsApp message history exfiltration through this mechanism (April 2025) and showed that a malicious GitHub issue could redirect an AI assistant into leaking private repository contents and salary data into a public pull request (May 2025). The rug pull operates post-connection: a server presents a clean manifest, then alters tool definitions to demand credentials as “mandatory parameters.” An agent trained to be helpful supplies them. The full attack taxonomy follows in the risk cards below.
The Anthropic Git MCP server carried a three-vulnerability chain. CVE-2025-68143 allowed unrestricted git_init on arbitrary paths. CVE-2025-68144 enabled argument injection via git_diff and git_checkout, permitting file overwrite and deletion. CVE-2025-68145 bypassed the path-validation allowlist. Chained, the three allow remote code execution via malicious instructions embedded in a repository README the agent reads during a legitimate task. Fixed in version 2025.12.18 (December 2025). The vulnerability did not require the agent to do anything wrong — only that it read a file an attacker controlled, which is what agents do.
The researcher who discovered the attack was compromised simply by starting a local MCP server in Cursor, which auto-downloaded the latest LiteLLM version — malware live on PyPI for only minutes — with nothing else required. — FutureSearch / Callum McMahon, March 2026 (futuresearch.ai/blog/litellm-pypi-supply-chain-attack/) |
// MCP Attack Taxonomy — Four Vectors, Each Confirmed in the Wild
MCP-01 — Critical Supply Chain Compromise MCP packages are not vetted by any central registry authority. The LiteLLM attack (March 24, 2026) demonstrated the full chain: scanner compromise → PyPI credential theft → backdoored release → nearly 47,000 malicious downloads in 46 minutes. MCP auto-update on Cursor startup was the delivery mechanism. |
MCP-02 — Critical Tool Poisoning Tool descriptions are processed as trusted instruction by the AI model. A malicious server embeds hidden directives in description fields — invisible in the UI, but parsed in full by the model — instructing it to exfiltrate data or call external endpoints before returning a visible result. Bypasses DLP tools because exfiltration looks like normal agent behaviour. Confirmed: WhatsApp history exfiltration (Invariant Labs, April 2025); GitHub private repo data exposure (Invariant Labs, May 2025). |
MCP-03 — High Rug Pull (Post-Handshake Tool Mutation) A server presents a clean manifest at connection, then alters tool definitions post-deployment to demand credentials — cloud access keys, database passwords, session tokens — as “mandatory parameters.” An agent built to be helpful treats these as legitimate API constraints and supplies them. Exploits model behaviour, not a code vulnerability. No CVE; no patch. The control is architectural: verify tool definitions against the hash recorded at initial connection. |
MCP-04 — High Prompt Injection via Untrusted Content When an MCP-enabled agent reads external content — a GitHub issue, a support ticket, a file — that content can contain embedded instructions the model processes as commands. Unlike direct prompt injection attacks against a chat interface, this vector operates indirectly: the attacker cannot reach the agent directly, but controls content the agent will read during a legitimate task. The Anthropic Git MCP chain (CVE-2025-68143/44/45) demonstrates the pattern: an attacker-controlled README can instruct the agent to execute arbitrary code, overwrite files, or exfiltrate data during what looks like a normal repository operation. |
// Five Actions — Start This Week
| [✓] | Audit every MCP server in your environment immediately. Inventory all MCP servers connected to Claude Desktop, VS Code, Cursor, and any enterprise AI deployment. Verify the publisher and version of each server package. If LiteLLM 1.82.7 or 1.82.8 was ever installed (March 24, 2026, 46-minute window), treat all credentials on that machine as compromised and rotate them now. |
| [✓] | Pin MCP server versions. Disable automatic updates. Auto-update on MCP server startup is the exact mechanism the LiteLLM supply chain attack exploited. Pin every MCP server dependency to a verified version hash. Before updating, verify the release against the publisher’s signed commits. No silent updates — treat MCP packages as production infrastructure dependencies. |
| [✓] | Update mcp-remote and the Anthropic Git MCP server now. CVE-2025-6514 (mcp-remote, CVSS 9.6) and the CVE-2025-68143/44/45 chain (Anthropic Git MCP) are both patched in current releases. Update mcp-remote to latest. For the Git MCP server, verify version 2025.12.18 or later — the full fix is version 2025.12.18 (December 2025). Do not use older versions against repositories containing untrusted content. |
| [✓] | Apply network egress controls to MCP server processes. Apply host-based firewall rules or container network policies that limit MCP server processes to the specific endpoints they require for their defined function. An MCP server wrapping a database query tool has no legitimate reason to make outbound calls to arbitrary IP addresses. Egress controls are the primary defence against tool poisoning and rug pull attacks that depend on data leaving your environment. |
| [✓] | Implement human approval gates for high-consequence MCP actions. Any MCP tool that can write files, execute shell commands, post to external services, or access production databases should require explicit human confirmation. This is the most effective control against rug pull and tool poisoning attacks: an agent cannot be tricked into exfiltrating data or supplying credentials if a human must approve the action first. Build approval workflows into your agentic deployment pipeline as a non-negotiable requirement for high-privilege toolsets. |
|
|
| 02 — // Threat & Defence Matrix |
|
|
MCP attack patterns mapped to confirmed incidents and operational defensive controls
| Threat | Defence |
Supply chain compromise via MCP dependency
Confirmed active (LiteLLM, March 24, 2026). Attacker compromises CI/CD tooling, obtains publishing credentials, releases backdoored package. MCP auto-update on server startup triggers silent installation. Payload exfiltrates all credentials before detection. | Pin versions + SBOM + publisher verification
Pin all MCP server dependencies to verified version hashes. Maintain an SBOM for every agent deployment. Before updating any MCP package, verify against the publisher’s signed commits. The registry is the attack surface; do not rely on registry trust alone. |
Hidden instructions in tool descriptions
Confirmed: WhatsApp exfiltration (Invariant Labs, April 2025), GitHub data exposure (Invariant Labs, May 2025). Tool description fields are processed as instruction by the LLM but not rendered to the user. Hidden directives can redirect agent behaviour, exfiltrate session context, or invoke secondary tools before returning a visible result. | Tool description review + server allowlisting
Review the full raw tool definition — not just the display name — before approving any MCP server. Maintain an allowlist with hashed manifests. Flag descriptions containing network calls, credential references, or instructions to suppress output. Do not approve servers with unusually long or opaque description fields. |
Rug pull: post-handshake tool definition mutation
Server presents a clean manifest at connection, then silently alters tool definitions to demand credentials as mandatory parameters. Agent complies because it is designed to be helpful. No code vulnerability; exploits model behaviour. Undetectable without post-connection definition monitoring. | Hash tool definitions at connection; alert on change
Record a cryptographic hash of the initial tool manifest. Re-verify on every subsequent session; alert on any deviation. MCP servers have no legitimate reason to alter tool definitions post-handshake. Any change should trigger immediate server suspension. Treat definition changes the same way you treat unexpected certificate changes. |
Prompt injection via untrusted content
Confirmed: Anthropic Git MCP (CVE-2025-68143/44/45), GitHub MCP injection (Invariant Labs, May 2025), Supabase Cursor agent attack (July 2025). Agent reads attacker-controlled content (README, issue, ticket) during a legitimate task; embedded instructions execute as commands. Exfiltration is a side effect of normal agent activity. | Sanitize untrusted input + human-in-the-loop for writes
Apply a read-only rule for external content: an agent can retrieve and summarize external data, but any action triggered by that data requires explicit human approval. Patch the Anthropic Git MCP server to 2025.12.18+ immediately. |
Unauthenticated MCP server with production access
66% of 1,808 scanned servers had security findings; 43% vulnerable to command injection (AgentSeal). Authentication is optional in the current spec. Servers wrapping databases, file systems, or production APIs without authentication are unauthenticated privileged access points by design. | Mandatory auth + network segmentation + audit logging
Require authentication for every MCP server accessing production systems. Do not expose MCP servers to the public internet. Apply network policies limiting client access. Enable audit logging for all tool invocations — what was called, by which agent, with what parameters. Do not wait for MCP 2.0 to make authentication mandatory. |
|
|
|
A Protocol Without Guardrails Meets a Regulatory Environment That Is Running Out of Patience
No CCCS advisory. No specific OPC guidance on AI agents. But the legal exposure from an MCP-enabled incident is already real under three frameworks that are in force, approaching enforcement, or advancing through Parliament right now.
Issue No. 009 expected CCCS AI agent security guidance in Q2 2026. We are now in Q2; no specific advisory on MCP or agentic AI has appeared. Canadian organizations cannot wait for regulatory clarity. The three frameworks below already create exposure for MCP-related incidents, and the enforcement weight behind each is increasing.
Framework 1 — Federally Regulated Financial Institutions OSFI Guideline E-23 — Model Risk Management OSFI’s final Guideline E-23, effective May 1, 2027, requires federally regulated financial institutions (FRFIs) to apply proportional model risk management to AI and machine-learning systems, including third-party AI components. An MCP server connecting a bank’s AI agents to customer data or trading systems is a third-party AI component in scope. A supply chain compromise of that server — or a tool poisoning attack redirecting agent behaviour — is a material model risk event requiring documented governance, defined accountability, and evidence of third-party risk controls. The action: Canadian banks, insurers, and pension funds should include MCP server inventory in their E-23 readiness gap assessments now. Every MCP server with access to production systems is a third-party model component requiring documented governance. Primary source: OSFI Guideline E-23 → |
Framework 2 — All Private Sector Organizations PIPEDA — Mandatory Breach Notification & Accountability MCP agents deployed in enterprise environments routinely access personal information: customer records, employee data, health records. Under PIPEDA, organizations are accountable for personal information in the possession of agents acting on their behalf, and must report to the Office of the Privacy Commissioner when a security safeguard failure creates a real risk of significant harm. A tool poisoning attack redirecting an agent to forward customer data to an attacker-controlled endpoint is a security safeguard failure; the hidden-instruction mechanism does not reduce accountability. The OPC has issued no specific guidance on AI agents or MCP. That gap belongs to the organization to fill. The action: Conduct a privacy impact assessment for every MCP-enabled workflow that handles personal information. Scope agent access to the verified minimum. Document the controls preventing tool poisoning redirection — that documentation is your first line of defence in a PIPEDA investigation. Primary source: OPC — PIPEDA Overview → |
Framework 3 — Critical Infrastructure Operators Bill C-8 — Critical Cyber Systems Protection Act Bill C-8, the successor to Bill C-26, reintroduced the Critical Cyber Systems Protection Act (CCSPA) provisions covering designated operators in Canada’s banking, telecommunications, energy, and transportation sectors. As of April 2026, Bill C-8 has passed second reading and is under active study by the Standing Committee on Public Safety and National Security (SECU). When passed, CCSPA will require mandatory cybersecurity programs, supply chain risk management, and incident reporting for designated operators. A supply chain attack through an MCP server dependency — the LiteLLM pattern — is exactly the class of third-party software risk CCSPA targets. A Canadian bank or telco whose AI deployment was affected by the March 24 attack would face CCSPA reporting obligations that do not exist today but will. The action: Designated operators should map all third-party AI tool dependencies — including MCP server packages — against CCSPA supply chain risk requirements now. Bill C-8 is in active committee. Waiting for Royal Assent to begin is waiting too long. Primary source: Parliament of Canada — Bill C-8 → |
|
| 04 — // On Our Radar + Patch Priority |
|
// On Our Radar — Not Yet at Critical Threshold
| → | MCP 2.0 mandatory authentication: Anthropic has proposed making OAuth-based authentication mandatory in the next MCP spec revision, removing the “optional” posture that leaves unauthenticated deployments within spec. Watch for the Q2–Q3 2026 release. Until then, treat optional authentication as optional only on paper — require it in your deployment policy now, regardless of what the spec says. MCP Spec → |
| → | CVE-2025-49596 — MCP Inspector drive-by (CVSS 9.4): A critical vulnerability in the official MCP Inspector development tool allows attackers to compromise a developer’s machine through a single malicious webpage visit. No authentication or MCP connection required; the attack exploits the Inspector’s localhost interface via cross-origin request, achieving arbitrary code execution. Developer tooling for MCP creates a browser-accessible attack surface that conventional server software does not. If MCP Inspector is installed, verify you are on the patched release and do not leave it running when not in use. Docker Research → |
| → | OWASP MCP Top 10 — first version published: OWASP has published its first MCP Top 10, covering prompt injection, tool poisoning, insecure server configuration, missing authentication, and supply chain risks. The document is in community review, expected to finalize Q2 2026. Begin mapping your MCP deployments against the draft now — the final Top 10 is likely to be referenced in regulatory assessments the same way the OWASP Web Application Top 10 is today. OWASP MCP Top 10 → |
|
| // Patch Priority — This Week |
| P1 — NOW | Chrome CVE-2026-5281 (CVSS High) — Use-after-free in Dawn/WebGPU, active exploitation confirmed, CISA KEV April 1, federal deadline April 15. Update to 146.0.7680.177/178 (Win/Mac) or 146.0.7680.177 (Linux). Applies to Edge, Brave, Opera, and Vivaldi on Chromium. | All Teams |
|
| P1 — NOW | mcp-remote CVE-2025-6514 (CVSS 9.6) — Command injection via untrusted OAuth endpoint handling; 437,000+ downloads affected. Update to latest version. Affects Claude Desktop, VS Code, Cursor. If updated this week, verify version hash against publisher GitHub release. | Developers · Cloud+DevOps |
|
| P1 — NOW | Anthropic Git MCP Server CVE-2025-68143/68144/68145 — Chained RCE via prompt injection from malicious repository content. Update to version 2025.12.18+ for full remediation. Do not use older versions against untrusted repositories. | Developers |
|
| P1 — VERIFY | LiteLLM supply chain check — If your Python environment ever ran LiteLLM 1.82.7 or 1.82.8 (March 24, 2026), treat all credentials on that host as compromised. Rotate AWS/GCP/Azure keys, SSH keys, Git credentials, API tokens, and any secrets present in shell history. Scan installed .pth files for litellm_init.pth. | Developers · Cloud+DevOps |
|
| P2 — WEEK | Ivanti EPMM CVE-2026-1281 + CVE-2026-1340 (CVSS 9.8 each) — Covered in Issue No. 013. Permanent fix in EPMM 12.8.0.0. If you applied the hot-fix but have since updated EPMM to any later version, verify the patch persists — the hot-fix is silently removed on version updates. | IT Ops · Enterprise |
|
|
HARDENED | HARDENED is published for general informational and educational purposes. All threat data is sourced from public security research and cited accordingly. This is not professional security advice. Consult a qualified professional for environment-specific guidance. All data as of April 6, 2026. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is human-reviewed before publication. Spot an error? Reply directly — we correct promptly. Sources: FutureSearch / Callum McMahon, LiteLLM supply chain (futuresearch.ai/blog/litellm-pypi-supply-chain-attack/) · TechCrunch, Mercor breach (March 31, 2026) · Invariant Labs, WhatsApp MCP exfiltration (April 2025) · Invariant Labs, GitHub MCP prompt injection (May 2025) · AgentSeal MCP server scan, 1,808 servers (2026) · OWASP MCP Top 10 (owasp.org/www-project-mcp-top-10/) · Docker MCP Horror Stories series (docker.com/blog) · NVD: CVE-2025-6514, CVE-2025-68143, CVE-2025-68144, CVE-2025-68145, CVE-2025-49596, CVE-2026-5281 · Anthropic Git MCP advisories (github.com/anthropics/mcp-server-git) · CISA KEV (cisa.gov/kev) · OSFI Guideline E-23 (osfi-bsif.gc.ca) · OPC PIPEDA (priv.gc.ca) · Bill C-8 / CCSPA, parl.ca · CCCS, cyber.gc.ca hardened.news |
|
|
