Kaspersky warns an open source AI connector, the model context protocol, could be hijacked by cybercriminals to launch stealthy supply chain attacks, risking catastrophic data leaks.
Kaspersky has warned that the model context protocol (MCP), an open source integration standard for AI systems developed by Anthropic in 2024, could become a major supply chain attack vector for cybercriminals.
MCP allows large language models (LLMs) to connect seamlessly with external services such as code repositories, customer relationship management platforms, cloud environments, and financial systems. However, Kaspersky’s Global Emergency Response Team (GERT) found that this openness could be exploited to steal sensitive information or trigger malicious code execution.
In a controlled lab simulation, the GERT team created a rogue MCP server disguised as a legitimate integration point. This setup enabled the silent theft of browser passwords, credit card details, cryptocurrency wallet files, API tokens, and cloud configurations—all while victims saw only expected outputs.
“Supply chain attacks remain one of the most pressing threats in the cybersecurity space, and the potential weaponisation of MCP we demonstrated follows this trend. With the current hype around AI and the race to integrate these tools, businesses may lower their guard and adopt a seemingly legitimate but unverified MCP. This mistake could lead to catastrophic data leaks,” said Mohamed Ghobashy, Incident Response Specialist at Kaspersky GERT.
Although Kaspersky confirmed no active exploitation has been detected, it warned that attackers could use MCP abuse to install backdoors, deploy ransomware, or trigger malicious code execution. The proof-of-concept used Cursor, an AI coding assistant, but researchers cautioned that any LLM-based app could be vulnerable. Both Cursor and Anthropic have been notified.
To mitigate risks, Kaspersky urged organisations to vet MCP servers, run them in isolated environments, monitor logs for anomalies, maintain whitelists of approved connectors, and consider managed detection and response services for stronger defence.
