Imagine visiting a website — just a normal website — and it silently hijacks your AI coding assistant. No malware download. No phishing link. Just a WebSocket handshake to your localhost, and suddenly a stranger controls your AI agent. That is not a hypothetical. The MCP security vulnerability called ClawJacked worked on every OpenClaw user until a patch landed 24 hours later.
In Part 1 of the 2026 Cyber Threat Map, we explored how supply chain attacks evolved to target the infrastructure beneath vendors. Now, the AI layer connecting everything is under siege too. The protocol at the center of it all? MCP — Model Context Protocol.
In the last 60 days alone, MCP has racked up 30 CVEs. Scan 500 MCP servers, and 38% lack even basic authentication. One in nine marketplace skills is malicious. This is the fastest-growing attack surface of 2026, and most teams do not know it exists.
TL;DR — MCP is AI’s biggest new attack surface.
- 341 malicious skills found on ClawHub, 38% of MCP servers lack authentication
- ClawJacked lets any website hijack your local AI agent via WebSocket
- Claude Code had RCE + API key exfiltration vulns (CVSS 8.7)
Read time: ~6 min
What MCP Security Vulnerability Means and Why It Matters
Think of MCP as the universal USB port for AI agents. Just as USB lets any peripheral plug into your computer, MCP lets any AI tool — code assistants, data analyzers, automation bots — plug into external services. Databases, APIs, cloud storage, Slack: one protocol to connect them all (Anthropic).
The appeal is obvious. Before MCP, every AI integration was bespoke wiring. MCP standardized that. Now 70% of enterprises run AI agents in production, and 23% more plan to deploy by year-end (Team8 CISO Village Survey, Orchid Security).
But here is the thing about universal connectors. They are also universally exploitable.
Palo Alto Networks calls MCP the “lethal trifecta”: it grants access to private data, exposes agents to untrusted content, and enables outbound communication — all through a single protocol.
The MCP security vulnerability attack surface breaks into three categories: marketplace poisoning (the skills your agent downloads), protocol-level vulnerabilities (how MCP itself can be abused), and identity blind spots (agents operating in the dark, ungoverned).
MCP Security Vulnerability — By the Numbers
341
Malicious Skills on ClawHub
30
CVEs in 60 Days
38%
Servers Without Authentication
Marketplace Poisoning: ClawHub and the 341 Malicious MCP Security Vulnerability Skills
Security firm Koi Security audited 2,857 skills on ClawHub — the largest MCP skill marketplace — and found 341 of them were malicious. That is an 11.9% infection rate (The Hacker News).
Of those 341 skills, 335 distributed the same payload: Atomic Stealer (AMOS), a macOS infostealer that harvests browser passwords, crypto wallet seeds, and session tokens. The campaign was named ClawHavoc (Koi Security).
The disguises were convincing. Crypto portfolio trackers. YouTube subtitle downloaders. Google Workspace integrations. Even an “auto-updater” that updated you straight into malware.
A separate audit by Straiker scanned 3,505 skills and found 71 additional malicious entries. Combined, that is 400+ poisoned skills circulating in the MCP ecosystem.
The more alarming finding was an agent-to-agent attack vector. A skill called BobVonNeumann operated on the Moltbook social network, where it recommended malicious skills to other AI agents. One recommendation tricked an AI into storing Solana wallet keys in plaintext — a crypto heist automated entirely by machines talking to machines (Koi Security).
This is the npm/PyPI poisoning playbook — the same supply chain attack pattern from Part 1 — but now running inside AI agent ecosystems where the “developer” downloading the package is itself an AI.
Protocol Vulnerabilities: When the Plumbing Is Broken
Marketplace poisoning relies on tricking users (or agents) into installing bad skills. Protocol vulnerabilities are worse: they exploit how MCP itself works.
ClawJacked is the poster child. Here is how it worked: a malicious website runs JavaScript that connects to your localhost WebSocket — the channel your MCP gateway uses. Browsers do not block cross-origin WebSocket requests the way they block HTTP requests. No rate limiting on password attempts meant the attacker could brute-force the gateway password, register as a trusted device, and take full control of your AI agent (The Hacker News).
The victim? Anyone who visited the wrong webpage while their AI agent was running locally. No clicks, no downloads, no warnings.
OpenClaw patched ClawJacked within 24 hours (v2026.2.25), but the incident exposed deeper architectural issues: log poisoning via prompt injection to manipulate agent reasoning, plus seven more CVEs covering RCE, SSRF, authentication bypass, and path traversal.
Microsoft’s advisory was blunt: “Treat OpenClaw as untrusted code execution with persistent credentials. Deploy only in isolated environments.”
ClawJacked Attack Chain
Victim Visits Malicious Website
JavaScript on the page initiates a cross-origin WebSocket connection to localhost.
WebSocket Connects to MCP Gateway
Browsers allow cross-origin WebSocket requests — no CORS policy blocks this.
Brute-Force Gateway Password
No rate limiting on authentication attempts. Password cracked in seconds.
Full AI Agent Takeover
Attacker registers as trusted device. Complete control over your AI agent’s actions and data access.
Claude Code: When Your Coding Assistant Turns Against You
The MCP security vulnerability threat is not limited to marketplace tools. Check Point Research found three vulnerabilities in Claude Code — Anthropic’s own AI coding agent (The Hacker News).
| Vulnerability | CVSS | Attack Vector |
|---|---|---|
| Project hooks code injection | 8.7 | Malicious repo’s hook file executes arbitrary code, bypassing user consent |
| MCP server auto-shell (CVE-2025-59536) | 8.7 | Shell commands run automatically during MCP server initialization |
| API key exfiltration (CVE-2026-21852) | 5.3 | ANTHROPIC_BASE_URL tampered to redirect API traffic, leaking keys |
The attack scenario is brutally simple. Clone a malicious repository. Run Claude Code. That is it. The project hook fires, your API key gets siphoned to an attacker-controlled server, and all your authenticated traffic can be redirected.
As Check Point put it: “In AI development environments, the supply chain doesn’t start with source code — it starts with the automation layer.”
This echoes the Part 1 thesis. Supply chain attacks have moved up the stack — from packages to build pipelines to AI tooling itself.
The Azure MCP SSRF
Even cloud giants are not immune. CVE-2026-26118 hit the Azure MCP Server, allowing server-side request forgery (SSRF). An attacker could force the MCP server to make internal network requests on their behalf — potentially reaching metadata endpoints, internal APIs, and secrets stores (Microsoft, patched 2026-03-10).
Combined with the typosquatting problem — where a skill named “mcp-server-sqllite” (one letter off from “sqlite”) runs malicious code on install — the MCP ecosystem is replaying every MCP security vulnerability mistake the package management world made over the past decade, but at AI speed.
Identity Dark Matter: The Invisible Workforce
There is a governance problem lurking beneath the technical vulnerabilities. Orchid Security calls it “Identity Dark Matter” — AI agents operating in enterprise environments that are invisible to traditional identity and access management (IAM) systems (The Hacker News).
Human employees go through HR. They get onboarded, assigned roles, offboarded when they leave. AI agents? They get a service account, broad permissions, and no exit interview.
The attack pattern Orchid Security documented follows a familiar escalation ladder: enumerate what exists, try the easy targets first, acquire “good enough” access, quietly escalate privileges, then operate at machine speed. Except now the attacker does this in seconds, not weeks.
Gartner’s “Market Guide for Guardian Agents” confirms the gap: agent adoption speed is dramatically outpacing governance maturity. Most enterprises have no policy for agent credential rotation, no audit trail for agent-to-agent interactions, and no process for decommissioning agents.
The Full MCP Security Vulnerability Threat Landscape
| Threat Vector | Incident | Impact Scope | Severity |
|---|---|---|---|
| Marketplace poisoning | ClawHavoc (341 skills) | 11.9% of ClawHub | Critical |
| WebSocket hijack | ClawJacked | All OpenClaw users | High |
| AI coding tool RCE | Claude Code vulns | All users (repo clone) | CVSS 8.7 |
| API key exfiltration | Claude Code | Developer API infra | CVSS 5.3 |
| Cloud SSRF | Azure MCP (CVE-2026-26118) | Azure MCP deployments | High |
| Typosquatting | mcp-server-sqllite | Developers installing skills | Medium |
| Agent identity drift | Identity Dark Matter | 70% of enterprises | Systemic |
Every layer is compromised — the marketplace, the protocol, the cloud infrastructure, the identity layer. MCP security vulnerability is not a single bug to patch. It is a systemic gap across the entire AI agent stack.
What This Means for Developers and Security Teams
If you are running MCP-connected agents in production — and statistically, you probably are — here is a practical defense checklist.
Audit your skills. Do not trust marketplace ratings. Run skill checksums against known-good hashes. Check for obfuscated code in skill packages. If a skill needs network access, ask why.
Separate credentials. Never run AI agents with your personal API keys or production service accounts. Create dedicated, least-privilege credentials for each agent. Rotate them on a schedule — not just when something breaks.
Lock down localhost. If your MCP gateway runs on localhost WebSocket, restrict which origins can connect. Disable the gateway when not actively in use. The ClawJacked attack only worked because the gateway was always listening.
Treat repos as hostile. The Claude Code MCP security vulnerability means cloning a repository is now a potential attack vector. Review project hook files before running any AI coding tool on untrusted code. Disable auto-execution of MCP server initialization commands.
Inventory your agents. If your security team cannot answer “how many AI agents are running in production, with what permissions, accessing what data?” — that is your first priority. You cannot secure what you cannot see.
For Korean enterprises specifically, the AI agent adoption curve is accelerating. Samsung SDS is leading the charge, agentifying Korean public and financial sectors, while competitors like LG CNS and Naver Cloud have yet to ship agentic AI solutions (SDxCentral). That means Korean enterprises adopting MCP-connected agents are largely relying on international platforms — inheriting all the MCP security vulnerability risks documented above.
The Bigger Picture
Part 1 of this series showed how supply chain attacks evolved — from malicious npm packages to compromised build pipelines. MCP security vulnerabilities represent the next evolution: the AI layer that connects everything is now the attack surface.
The pattern is consistent. Every time we build a new abstraction layer to make development easier, attackers exploit the trust assumptions baked into that layer. Package managers trusted publishers. CI/CD pipelines trusted build scripts. And now MCP trusts skills, servers, and agent identities with insufficient verification.
The 30 CVEs in 60 days are not an anomaly. They are the beginning of a vulnerability discovery curve that will steepen as more researchers turn their attention to MCP.
The question is not whether your organization will encounter an MCP-related security incident. It is whether you will have the visibility and controls in place when it happens.
Bottom Line. MCP gave AI agents a universal connector — and handed attackers a universal attack surface. Thirty CVEs in sixty days, 341 poisoned skills, and a protocol that lets websites hijack local agents: this is what happens when adoption outruns security.
Career Takeaway. If you work in security, MCP expertise is your next career accelerator. If you are a developer using AI agents, learn to audit MCP skills the way you learned to vet npm packages — because the same supply chain playbook is running at AI speed now.
In Part 3, we will map how nation-state actors are weaponizing AI itself — from deepfake-powered social engineering to automated vulnerability discovery. The threat is no longer just criminal. It is geopolitical.
MCP Security Vulnerability Defense Priorities
Start with visibility: inventory every AI agent, its permissions, and its data access. Then audit every MCP skill against known-good checksums. Finally, isolate agent credentials from human accounts and enforce rotation schedules. The attack surface is systemic — your defense must be too.
References
- “ClawJacked — Hijacking AI Agents via MCP WebSocket Vulnerability,” The Hacker News, 2026-02-28
- “ClawHavoc: 341 Malicious Skills Found on ClawHub MCP Marketplace,” The Hacker News + Koi Security, 2026-02-02
- “Claude Code Vulnerabilities Allow RCE and API Key Theft,” The Hacker News + Check Point Research, 2026-02-25
- “AI Agents Are the New Identity Dark Matter,” The Hacker News + Orchid Security, 2026-03-03
- “Gartner Market Guide for Guardian Agents,” Gartner, 2026
- “CVE-2026-26118 — Azure MCP Server SSRF,” Microsoft Security Response Center, 2026-03-10
- “MCP Attack Surface Analysis — 30 CVEs in 60 Days,” Straiker Security Blog, 2026
- Team8 CISO Village Survey — AI Agent Adoption, Orchid Security, 2026-03
FAQ
What is MCP and why is it a security risk?
MCP (Model Context Protocol) is a standardized protocol that lets AI agents connect to external services like databases, APIs, and cloud tools. It becomes a security risk because it grants broad access to sensitive data while exposing agents to untrusted content and enabling outbound communication — all through a single, often insufficiently authenticated channel.
How can a website hijack my local AI agent?
The ClawJacked vulnerability exploited the fact that browsers do not block cross-origin WebSocket connections to localhost. A malicious website’s JavaScript could connect to a local MCP gateway, brute-force the password without rate limiting, and register as a trusted device — giving the attacker full control of the AI agent. This was patched in OpenClaw v2026.2.25.
What is the MCP security vulnerability in Claude Code?
Check Point Research found three vulnerabilities: two CVSS 8.7 flaws allowing remote code execution through project hooks and MCP server initialization, plus a CVSS 5.3 flaw that enabled API key exfiltration by tampering with the ANTHROPIC_BASE_URL environment variable. Simply cloning a malicious repo and running Claude Code could trigger the attack.
How do I protect my organization from MCP-related threats?
Start by auditing all installed MCP skills for malicious code, separating agent credentials from personal or production accounts, restricting localhost WebSocket access, reviewing project hooks before running AI tools on untrusted code, and maintaining an inventory of all AI agents running in your environment with their permissions mapped.
What is Identity Dark Matter in the context of AI agents?
Identity Dark Matter refers to AI agents operating in enterprise environments that are invisible to traditional identity and access management systems. Unlike human employees, agents are not onboarded through HR, do not have defined role lifecycles, and often accumulate permissions over time without audit — creating blind spots that attackers can exploit.