MCP Impersonation

MCP Impersonation is the agentic-AI form of supply-chain attack: a malicious server is published or redirected so that an AI agent trying to connect to a trusted third-party service ends up connecting to an attacker-controlled implementation instead. Once connected, the agent uses the impersonating server's tools — sending messages, transferring data, performing actions — while the user and the agent both believe they are interacting with the legitimate vendor.

The pattern was named explicitly in the OWASP Top 10 for Agentic Applications 2026 under ASI04: Agentic Supply Chain Vulnerabilities, with the September 2025 Postmark MCP incident cited as the worked example. A trojanised version of the Postmark MCP server, published to npm, BCC'd every email the agent sent through it to an attacker-controlled inbox. From the user's perspective the agent simply did its job. From the operator's perspective every outbound communication was being silently exfiltrated.

Why MCP Impersonation Differs From Classic Phishing

In a traditional phishing attack the human user is the target; they have to be tricked into clicking. In MCP Impersonation the AI agent is the target, and the user need not be tricked at all. The agent connects to the impersonating server through the same configuration mechanism that makes MCP useful: a registry entry, a package install, a remote URL. Once the connection is established, the trust boundary between agent and tool is opaque to the user. There is no warning dialog, no certificate prompt, no opportunity to inspect the destination.

Compounding this, MCP servers are typically distributed as packages (npm, PyPI) or hosted endpoints. The attack surface includes package registry compromise where a maintainer account is taken over and a poisoned version published; look-alike packages published under similar names to legitimate vendors, banking on developer typos or rushed installs; hosted-endpoint redirection through DNS, BGP, or registry-level redirection to attacker infrastructure; and deprecated-package squatting where an abandoned official package is republished with malicious functionality.

Detection and Response

Defences mirror those for classic supply-chain attacks but require additional MCP-specific layers. Operators should pin installed MCP server versions and verify cryptographic signatures, restrict outbound network egress from MCP server processes, and treat any change in a tool's behaviour or output schema as an incident requiring investigation. Operationally, audit logs should record which MCP server was active per agent invocation so post-incident analysis can attribute every action to its source.

For the broader pattern record, MCP Impersonation is one of the canonical patterns documented in the MCP Breach Index 2025–2026, alongside tool poisoning attacks and STDIO-transport remote code execution.