Overview
MCP's stdio transport enables frictionless local server execution, creating a low-barrier path for users to download and run potentially malicious third-party code on their machines with full local privileges.
Who Is Affected
Analyzed by Shrivu Shankar. Affects less technical users who follow MCP integration guides instructing them to 'download and run' server implementations without security review.
Where It Exists
The risk exists in the MCP ecosystem's distribution model. MCP servers are typically distributed as source code or npm packages that run directly on the user's machine via stdio transport with full local filesystem and network access.
When It Was Found
Discussed April 1, 2025. The risk has grown with the proliferation of third-party MCP servers on GitHub and npm.
How It Works
Attackers publish an appealing MCP server (e.g., an AI-powered productivity tool) on GitHub or npm. Installation instructions tell users to clone and run the code locally. The server runs with the user's full permissions and can access files, network, and system resources. Malicious code can execute alongside legitimate MCP functionality.
Impact
Full local system compromise including file access, credential theft, cryptocurrency wallet exfiltration, keylogging, and persistent backdoor installation. The stdio transport provides no sandboxing or permission boundaries between the server and the host system.
Mitigation
Run MCP servers in containers or sandboxed environments. Review server source code before installation. Prefer servers from verified publishers. Use operating system-level permission restrictions. Monitor MCP server network activity for unexpected connections.