MCP marketplaces shipped LOLBAS malware. We audited 256 agents.

I downloaded an AI agent. It was wired to invoke malware.

Six months ago a Mickai engineer downloaded an AI agent from a public MCP (Model Context Protocol) marketplace. It was wired to invoke a Living-Off-the-Land Binary (LOLBAS) chain that downloaded a remote payload through a signed Microsoft binary, executed without writing to disk, and left no signature for any static scan to catch.

None of the marketplaces caught it. So we built the one that does.

## What LOLBAS is, and why MCP agents are the perfect carrier

LOLBAS = Living Off the Land Binaries And Scripts. The technique abuses legitimate signed system binaries (powershell.exe, certutil.exe, mshta.exe, regsvr32.exe, msbuild.exe, wmic.exe and dozens of others) to download or execute a remote payload. Signature is genuine. Static scan is clean. Behavioural anomaly is buried inside arguments most endpoint protection products do not parse. Catalogued at [lolbas-project.github.io](https://lolbas-project.github.io). Maps to MITRE ATT&CK T1218 (Signed Binary Proxy Execution).

MCP agents are an ideal carrier. An MCP server ships as a small TS / Python / Node package, each tool can spawn arbitrary processes, the marketplace surface allows it. The user installs an agent that exposes a 'system info' tool. The host LLM invokes that tool. What actually runs is `powershell -EncodedCommand` plus a payload from a domain the user has never heard of.

There is no marketplace-side review that catches this. There is no user-side notification when it fires. There is no telemetry that surfaces compromise. The user is running malware they cannot see, in the trusted context of an AI tool they invited onto the machine.

## Trust Agent: 256 audited agents, 27-check pipeline

[Trust Agent](https://trust-agent.ai) is the productised result. 256 AI agents through a full 27-check audit. 20 industries: GCSE tutor, quantum-physics specialist, full C-suite team an SME can hire on the spot. Every agent carries a cryptographically verifiable certificate tied to a specific commit and a specific audit run. Every certificate is independently verifiable.

Trust Agent is powered by [Mickai](https://mickai.co.uk). Mickai is the audit framework, the signing infrastructure, the deterministic-placeholder primitives, and the copy-on-write sandbox under everything. 21 filed UK patent applications, 675 cryptographically signed claims, sole inventor.

## What users should do tonight

- Audit local MCP installs. Catalogue every agent, every tool definition, every spawned binary.
- Run any LOLBAS-aware static scan against the spawned-process surface.
- Move new agent installs to a vetted source. Trust Agent is one.
- Watch for the rest of this 5-part launch series.

[Read the full article on mickai.co.uk](https://mickai.co.uk/articles/mcp-marketplaces-shipped-lolbas-malware)

*Originally published at [mickai.co.uk](https://mickai.co.uk/articles/mcp-marketplaces-shipped-lolbas-malware).*