Introduced by Anthropic in late 2024, MCP acts as the plugin architecture for agentic AI. If your team isn’t scanning for, mapping or monitoring for MCP risks, you have a blind spot that grows every time a developer installs a new tool. MCP takes “old” risks such as supply chain attacks, hardcoded credentials, privilege escalation, remote code execution and makes them new again.
Here’s how:
Shadow AI: You can’t secure what you can’t see
In 2025, researchers documented the first confirmed malicious MCP server in the wild. The vehicle was a npm package called postmark-mcp, a tool that helped developers integrate AI assistants with the Postmark email service. The attacker was patient. They published fifteen legitimate versions over time, built up roughly 1,500 weekly downloads and earned genuine trust in the developer community. Then a version shipped with a single injected line of code that BCC’d every single outgoing email to an external address.
Around 300 organizations were affected before anyone noticed. Password resets, invoices, internal memos, confidential documents — exfiltrated for weeks without tripping a single alert. The tactic mirrors the SolarWinds playbook: Establish legitimacy first, corrupt later and count on the fact that once something is trusted, it stops being scrutinized.
