ML Security PapersLeechHijack: Covert Computational Resource Exploitation in Intelligent Agent Systems
Yuanhe Zhang 1, Weiliu Wang 2, Zhenhong Zhou 3, Kun Wang 3, Jie Zhang 4, Li Sun 5, Yang Liu 3, Sen Su 1,6
1 Beijing University of Posts and Telecommunications
3 Nanyang Technological University
4 A*STAR
Published on arXiv
2512.02321
Insecure Plugin Design
OWASP LLM Top 10 — LLM07
Key Finding
LeechHijack achieves 77.25% average attack success rate across four major LLM families with 18.62% resource overhead, remaining undetectable by existing auditing frameworks
LeechHijack
Novel technique introduced
Large Language Model (LLM)-based agents have demonstrated remarkable capabilities in reasoning, planning, and tool usage. The recently proposed Model Context Protocol (MCP) has emerged as a unifying framework for integrating external tools into agent systems, enabling a thriving open ecosystem of community-built functionalities. However, the openness and composability that make MCP appealing also introduce a critical yet overlooked security assumption -- implicit trust in third-party tool providers. In this work, we identify and formalize a new class of attacks that exploit this trust boundary without violating explicit permissions. We term this new attack vector implicit toxicity, where malicious behaviors occur entirely within the allowed privilege scope. We propose LeechHijack, a Latent Embedded Exploit for Computation Hijacking, in which an adversarial MCP tool covertly expropriates the agent's computational resources for unauthorized workloads. LeechHijack operates through a two-stage mechanism: an implantation stage that embeds a benign-looking backdoor in a tool, and an exploitation stage where the backdoor activates upon predefined triggers to establish a command-and-control channel. Through this channel, the attacker injects additional tasks that the agent executes as if they were part of its normal workflow, effectively parasitizing the user's compute budget. We implement LeechHijack across four major LLM families. Experiments show that LeechHijack achieves an average success rate of 77.25%, with a resource overhead of 18.62% compared to the baseline. This study highlights the urgent need for computational provenance and resource attestation mechanisms to safeguard the emerging MCP ecosystem.
Key Contributions
- Formalizes 'implicit toxicity' — a new attack class where malicious behaviors occur entirely within the allowed privilege scope of MCP tools, evading explicit permission checks
- Proposes LeechHijack, a two-stage attack (implantation + exploitation) using a backdoored MCP tool to hijack LLM agent compute resources via a covert command-and-control channel
- Demonstrates 77.25% average success rate across four LLM families (DeepSeek, Qwen, GPT, Gemini) with only 18.62% detectable resource overhead, bypassing existing code auditing and runtime monitoring