ML Security PapersMind Your Server: A Systematic Study of Parasitic Toolchain Attacks on the MCP Ecosystem
Shuli Zhao 1, Qinsheng Hou 1, Zihan Zhan 1, Yanhao Wang 2, Yuchong Xie 3, Yu Guo 1, Libo Chen 1, Shenghong Li 1, Zhi Xue 1
Published on arXiv
2509.06572
Prompt Injection
OWASP LLM Top 10 — LLM01
Insecure Plugin Design
OWASP LLM Top 10 — LLM07
Sensitive Information Disclosure
OWASP LLM Top 10 — LLM06
Key Finding
The MCP ecosystem is systematically vulnerable to Parasitic Toolchain Attacks, with exploitable gadgets found pervasively across 12,230 real-world tools, enabling stealthy private data exfiltration via manipulated LLM tool chains
Parasitic Toolchain Attack (MCP-UPD)
Novel technique introduced
Large language models (LLMs) are increasingly integrated with external systems through the Model Context Protocol (MCP), which standardizes tool invocation and has rapidly become a backbone for LLM-powered applications. While this paradigm enhances functionality, it also introduces a fundamental security shift: LLMs transition from passive information processors to autonomous orchestrators of task-oriented toolchains, expanding the attack surface, elevating adversarial goals from manipulating single outputs to hijacking entire execution flows. In this paper, we reveal a new class of attacks, Parasitic Toolchain Attacks, instantiated as MCP Unintended Privacy Disclosure (MCP-UPD). These attacks require no direct victim interaction; instead, adversaries embed malicious instructions into external data sources that LLMs access during legitimate tasks. The malicious logic infiltrates the toolchain and unfolds in three phases: Parasitic Ingestion, Privacy Collection, and Privacy Disclosure, culminating in stealthy exfiltration of private data. Our root cause analysis reveals that MCP lacks both context-tool isolation and least-privilege enforcement, enabling adversarial instructions to propagate unchecked into sensitive tool invocations. To assess the severity, we design MCP-SEC and conduct the first large-scale security census of the MCP ecosystem, analyzing 12,230 tools across 1,360 servers. Our findings show that the MCP ecosystem is rife with exploitable gadgets and diverse attack methods, underscoring systemic risks in MCP platforms and the urgent need for defense mechanisms in LLM-integrated environments.
Key Contributions
- Introduces Parasitic Toolchain Attacks (instantiated as MCP-UPD), a three-phase indirect injection attack that infiltrates LLM tool chains to exfiltrate private data without direct victim interaction
- Root cause analysis showing MCP lacks context-tool isolation and least-privilege enforcement, enabling adversarial instructions to propagate unchecked into sensitive tool invocations
- MCP-SEC, the first large-scale security census of the MCP ecosystem, analyzing 12,230 tools across 1,360 servers and identifying pervasive exploitable gadgets