Zealynx AI Security & Hacks Library

OX Security disclosed that Anthropic's official MCP SDKs allow configuration values to shape the spawned command line, turning supply-chain or config control into host-side execution authority.

Why it matters: This is a runtime authority and supply-chain problem at the execution sink. If config can steer process spawn, any poisoned registry entry, package, or deployment default can become code execution.

An auth bypass in an nginx-ui MCP endpoint created a direct route to remote code execution.

Why it matters: Exposed MCP endpoints collapse identity, transport, and execution risk into one path. Once auth is weak, the rest of the runtime inherits the blast radius.

Three chained flaws in Anthropic's mcp-server-git showed how repository tooling can amplify multiple smaller weaknesses into a critical compromise path.

Why it matters: Git tooling sits at the center of coding-agent authority. Chained flaws here can affect code integrity, branch safety, and CI trust.

A command injection flaw in gemini-mcp-tool showed how look-alike or loosely reviewed MCP packages can become direct shell compromise paths.

Why it matters: This is a combined package-provenance and prompt-to-shell problem. The package name can look benign while its execution semantics are dangerous.

Flowise's CustomMCP node exposed a CVSS 10.0 path from STDIO transport handling to remote code execution.

Why it matters: Transport semantics are part of the authority plane. If the connector bridge is unsafe, every downstream tool inherits that insecurity.

A trojanized Postmark MCP package on npm silently BCC'd every outbound email to an attacker-controlled inbox.

Why it matters: This is the cleanest example of MCP impersonation and agentic supply-chain failure. The connector looked legitimate while exfiltrating sensitive communication.

EscapeRoute showed that symlink and path-prefix bypasses in Anthropic's Filesystem MCP server could break assumed file-scope restrictions.

Why it matters: Filesystem scope is one of the main safety claims in agent tooling. If it can be bypassed, file-read and file-write boundaries are not trustworthy controls.

CurXecute showed how a workspace-file write path in Cursor could become remote code execution.

Why it matters: Coding agents collapse repository trust and execution. Once a writable workspace can shape later execution, prompt-to-sink chains become practical.

The MCPoison issue in Cursor showed that malicious tool descriptions could steer agent behavior through descriptor injection.

Why it matters: This demonstrates that prose policy and tool metadata can function as authorization logic when the runtime lacks robust separation.

A malicious authorization_endpoint value in mcp-remote's OAuth flow could trigger OS command execution during connection setup.

Why it matters: OAuth metadata looked like configuration, but in practice it became shell influence. The lesson is that remote handshake state can be part of the prompt-to-sink path.

A critical unauthenticated RCE in Anthropic's official MCP Inspector exposed developer machines to host compromise.

Why it matters: Official tooling can still be part of the attack surface. Auditors cannot assume first-party MCP infrastructure is safe by default.

Invariant Labs documented a peer-server tool poisoning attack where poisoned tool descriptions enabled silent exfiltration of WhatsApp chat history.

Why it matters: This is one of the first concrete proofs that tool descriptors themselves can act like privileged prompt injection inside a multi-tool agent runtime.