MCP has no message signing. No agent identity. No tamper detection on tool definitions. Every agentic framework that fetches tools at runtime -- CrewAI, LangChain, AutoGen, LlamaIndex, Semantic Kernel -- inherits this gap.
A compromised MCP server can change a tool description between calls and inject instructions the LLM will follow. This is Tool Poisoning (MCP-01) in the OWASP MCP Top 10. Research shows a 72.8% attack success rate across 20 LLM agents (MCPTox benchmark, arXiv:2508.14925).
This isn't theoretical
Real MCP security incidents:
- CVE-2025-6514 (CVSS 9.6) -- mcp-remote RCE via crafted OAuth URL. 437,000+ downloads. JFrog disclosure
- CVE-2025-49596 (CVSS 9.4) -- Anthropic MCP Inspector unauthenticated RCE. Oligo Security
- postmark-mcp -- First malicious MCP server in the wild. 15 clean versions, then a one-line BCC backdoor forwarding every email to an attacker. 1,643 downloads before removal. Snyk
- Smithery.ai breach -- Path traversal exposed 3,243 MCP servers and thousands of API keys
- Supabase Cursor agent -- Privileged agent processed user-supplied support tickets as commands, exfiltrating integration tokens
30+ CVEs in 60 days. The pattern is clear: MCP tools are the new attack surface.
From tool poisoning to ransomware
This is where it gets serious. If an agent can execute code via MCP tools -- and most can -- then a poisoned tool definition is a delivery mechanism for anything, including ransomware.
IBM's 2026 X-Force Threat Index flags AI-driven attacks as escalating. Trend Micro predicts agentic AI will handle ransomware reconnaissance, vulnerability scanning, and ransom negotiations without human oversight. The first fully autonomous AI-orchestrated cyberattack was documented in September 2025, with AI handling 80-90% of the operation independently.
The attack chain is straightforward: compromise an MCP server, modify a tool description to include injected instructions, wait for an agent to fetch it. The agent follows the instructions because they look like tool metadata. No exploit needed -- just a string in a JSON field.
MCPS breaks this chain.
What MCPS does
MCPS (MCP Secure) adds a cryptographic identity and integrity layer to the Model Context Protocol. It's an IETF Internet-Draft -- the same standards track as TLS and OAuth.
MCP-01: Tool Poisoning -- Pins tool definitions at discovery, blocks execution if they change
MCP-04: Tool Rug Pulls -- Hashes tool schemas on first contact, raises ToolIntegrityError on mutation
MCP-08: Logging Gaps -- Structured audit trail with sequence numbers and timestamps
MCP-10: Lack of Integrity -- ECDSA P-256 signatures on canonical JSON payloads
Plus replay protection -- unique nonce per call, duplicates rejected within a configurable TTL window.
Framework integrations
MCPS ships as drop-in packages for the frameworks developers already use:
-
CrewAI:
pip install crewai-mcps(PyPI) -
LangChain:
pip install langchain-mcps(PyPI) -
Any framework:
pip install mcp-secureornpm install mcp-secure
from crewai_mcps import SecureMCPTool, AuditTrail
audit = AuditTrail()
secure = SecureMCPTool(audit_trail=audit)
secured_tools = secure.wrap_tools(tools) # one line
Keys are generated automatically. Zero config to get started.
Live in Azure Sentinel
We pushed live MCP threat alerts into Azure Sentinel today. Here's what the SOC team sees:
MCPSaaS_CL
| project TimeGenerated, ThreatType_s, Severity_s, AgentName_s, Detail_s, Action_s
| order by TimeGenerated desc
Results:
| Threat | Agent | Severity | Action |
|---|---|---|---|
| COMMAND_INJECTION | CrewAI-Research-Agent | CRITICAL | BLOCKED |
| CREDENTIAL_ACCESS | AutoGen-CodeExec-Agent | CRITICAL | BLOCKED |
| PROMPT_INJECTION | SK-Semantic-Agent | HIGH | BLOCKED |
| SQL_INJECTION | LangChain-DB-Agent | HIGH | BLOCKED |
| REPLAY_ATTACK | CrewAI-Research-Agent | MEDIUM | BLOCKED |
| PATH_TRAVERSAL | AutoGen-FileAgent | HIGH | BLOCKED |
Every threat maps to a MITRE ATT&CK category. Every alert includes the agent name, proxy ID, and full detail string. SOC teams query with KQL, build workbooks, trigger automated playbooks via Logic Apps.
This is not a mockup. This is live data in a production Azure Sentinel workspace, pushed via the Log Analytics HTTP Data Collector API with HMAC-SHA256 signed requests.
Microsoft Defender for Cloud integration
MCPS alerting is also integrated with Microsoft Defender for Cloud via MCPSaaS. When MCPS detects a threat -- command injection, credential access, SQL injection, prompt injection -- it pushes a security alert directly to Microsoft Defender via the Graph Security API.
SOC teams using Azure get MCP security alerts in the same console they already monitor. No new tooling, no new dashboards. Audit logs also export as RFC 5424 syslog for any SIEM (Splunk, Datadog, Elastic, CloudWatch).
Microsoft's AI frameworks are exposed
We filed security issues on both of Microsoft's major agentic AI frameworks this week:
-
AutoGen #7427 (55K stars) --
session.list_tools()trusts tool definitions without verification. The only mitigation is a docstring warning. -
Semantic Kernel #13690 (27K stars) --
load_tools()passes tool descriptions directly to the LLM.FunctionChoiceBehavior.Auto()enables auto-invocation.message_handlersilently reloads tools on server notification.
Neither framework validates MCP tool definitions. Both enable auto-invocation by default.
The protocol
MCPS is published as an IETF Internet-Draft: draft-sharif-mcps-secure-mcp. It covers 8 of the 10 OWASP MCP Top 10 risks and is designed to sit alongside MCP the same way HTTPS sits alongside HTTP.
Links
- Install:
pip install crewai-mcps|pip install langchain-mcps|npm install mcp-secure - crewai-mcps on PyPI
- mcp-secure on npm
- MCPSaaS -- managed MCPS proxy with Defender + Sentinel integration
- AgentSign -- zero trust engine for AI agents
- IETF Internet-Draft
- OWASP MCP Top 10
- Contact: contact@agentsign.dev
If you're running MCP tools in production -- your tool calls are unsigned right now. That's the gap.
Top comments (0)