InsAIts

InsAIts — MCP Security Reference

Status: Living document — updated as new CVEs are discovered.
Last updated: March 2026
Purpose: Documents the MCP threat landscape that InsAIts runtime detectors are built against.

Why This Document Exists

Every InsAIts detector maps to a documented, real-world attack. This file is the source of truth for that mapping. When a new CVE is published, this document is updated first — then the corresponding detector is built or updated.

The core positioning: mcp-scan does static scanning (checks tool descriptions before deployment). InsAIts is the runtime layer — watching what actually flows through the channel while it runs. These are complementary tools, not competitors.

MCP Ecosystem Status (March 2026)

The security gap: None of these deployments have a runtime semantic monitoring layer. mcp-scan provides static pre-deployment scanning. No tool monitors the semantic quality and behavioral integrity of what flows through MCP channels at runtime.

Critical CVEs — Complete Registry

CRITICAL Severity (CVSS 9.0+)

CVE Component CVSS Description InsAIts Detection
CVE-2025-6514 mcp-remote npm package 9.6 RCE via OS command injection when connecting to untrusted MCP server. 558,000+ downloads. 437,000+ developer environments compromised. Attackers gained access to environment variables, credentials, internal repositories. Behavioral anomaly post-connection: tool calling patterns outside baseline
CVE-2025-49596 Anthropic MCP Inspector 9.4 RCE via DNS rebinding + 0.0.0.0 flaw. Malicious website executes arbitrary code on developer machine without user interaction. SSH keys, cloud credentials, entire filesystem exposed. Post-exploitation behavioral drift detection
CVE-2025-52882 Multiple MCP servers 8.8 Authentication bypass — OAuth token confusion allows privilege escalation. Confused deputy: server uses another user’s credentials. Agent calling tools outside its registered permission scope

HIGH Severity (CVSS 7.0–8.9)

CVE Component CVSS Description InsAIts Detection
CVE-2025-53109 Anthropic Filesystem MCP 8.4 Sandbox escape via symlink bypass. Full host filesystem exposure outside permitted directories. Anomalous file path patterns in tool arguments
CVE-2025-53110 Anthropic Filesystem MCP 7.3 Containment bypass — companion to CVE-2025-53109. Chained for complete RCE via malicious .git/config. Same as above — chained detection
CVE-2025-68145 Anthropic mcp-server-git High Path validation bypass — first in chain of 3 CVEs in Anthropic’s own git server. Path traversal patterns in tool calls
CVE-2025-68143 Anthropic mcp-server-git High Unrestricted git_init — can turn .ssh directory into a git repo, exposing SSH keys. git_init called outside expected working directories
CVE-2025-68144 Anthropic mcp-server-git High Argument injection in git_diff — final link in RCE chain. Anomalous argument patterns in git tool calls
CVE-2025-54135 (CurXecute) Cursor IDE High Prompt injection via MCP-connected Slack modifies global mcp.json config. Commands execute immediately without approval. Prompt injection detector — config modification patterns
CVE-2025-54136 (MCPoison) Cursor IDE High MCP trust bypass — approving server with project-specific mcp.json enables persistent code execution. New agent registration outside established session

No CVE — But Documented and Exploited in the Wild

Attack Target Severity Description InsAIts Detection
Tool Poisoning All MCP deployments CRITICAL Hidden instructions in tool descriptions. LLM follows them; user never sees them. Requires no tool invocation — loading into context is sufficient. Tool description semantic divergence detector (Detector Priority #1)
Rug Pull All MCP deployments HIGH Tool changes behavior after initial user approval. Static hash detection exists in mcp-scan — behavioral detection is InsAIts’ domain. Behavioral fingerprint change post-update detector
WhatsApp History Exfil whatsapp-mcp + any agent CRITICAL Poisoned tool + legitimate whatsapp-mcp combined to silently exfiltrate entire WhatsApp message history. Exfiltration pattern detector — unusual data routing
Postmark Clone (first in wild) npm registry HIGH Impersonated Postmark email service. Secretly BCC’d every agent-sent email to attacker. Cited in OWASP Agentic Top 10. BCC pattern detector — output routing anomaly
Figma MCP RCE Figma MCP Server HIGH child_process.exec with untrusted input. Arbitrary commands via MCP tooling. Tool argument injection patterns
Microsoft MarkItDown SSRF Microsoft MCP Server HIGH Fetches arbitrary URLs without validation. AWS EC2 metadata service accessible — cloud credentials exposed. Microsoft classified as low-risk despite demonstrated EC2 access. External URL fetch anomaly — metadata endpoint patterns
Slopsquatting / PhantomRaven npm registry HIGH 126 malicious packages registered under names AI assistants hallucinate when recommending packages. Agents install them autonomously. Package name hallucination detector
0.0.0.0-day All localhost MCP servers HIGH Browsers send requests to localhost MCP servers. No RFC fix available — bind to 127.0.0.1 is the only mitigation. Infrastructure layer — outside InsAIts scope
Dual Reverse Shell npm registry CRITICAL Backdoored MCP server with install-time AND runtime reverse shells. Persistent remote access. Cited in OWASP Agentic Top 10. Post-install behavioral anomaly detection

OWASP Framework Coverage

OWASP MCP Top 10 (Beta — March 2026)

Source: github.com/OWASP/www-project-mcp-top-10

ID Risk InsAIts Coverage Notes
MCP01 Token Mismanagement & Secret Exposure ✅ YES PII/credential pattern scanner in message content
MCP02 Privilege Escalation & Excessive Permissions ⚠️ PARTIAL Behavioral anomalies from over-privileged agents detectable
MCP03 Tool Poisoning & Prompt Injection ✅ YES Semantic divergence between stated tool purpose and runtime behavior
MCP04 Supply Chain Attacks ⚠️ PARTIAL Behavioral changes post-update detectable; install-time is mcp-scan
MCP05 Command Injection & RCE ❌ NO Infrastructure security — outside message monitoring scope
MCP06 Insecure Memory & Context Sharing ✅ YES Context collapse detector catches cross-session semantic bleed
MCP07 Insufficient AuthN & AuthZ ❌ NO Infrastructure layer — outside InsAIts scope
MCP08 Lack of Telemetry & Audit Trails ✅ YES SHA-256 tamper-evident audit log — direct match
MCP09 Shadow MCP Servers ⚠️ PARTIAL Behavioral fingerprinting detects novel/unexpected agents
MCP10 Cross-Tenant Data Leakage ✅ YES Information flow tracking — data appearing where it should not

OWASP Agentic AI Top 10 (December 2025)

ID Risk InsAIts Coverage Notes
ASI01 Goal Hijacking ✅ YES Context collapse + semantic drift detectors catch goal divergence
ASI02 Prompt Manipulation ✅ YES Prompt injection detector
ASI03 Memory Poisoning ✅ YES Hallucination chain detector catches false information propagation
ASI04 Supply Chain Vulnerabilities ⚠️ PARTIAL Behavioral change post-installation detectable
ASI05 Unexpected Code Execution ⚠️ PARTIAL Tool call anomaly detection
ASI06 Sensitive Data Exposure ✅ YES PII pattern scanner in message content
ASI07 Inter-Agent Communication Abuse ✅ YES InsAIts’ primary design target
ASI08 Cascading Failures ✅ YES Hallucination chain + circuit breaker
ASI09 Rogue Agent Behavior ✅ YES POMDP belief tracker + circuit breaker
ASI10 Governance & Accountability Gaps ✅ YES Tamper-evident SHA-256 audit log — direct match

Attack Type Taxonomy

Layer 1 — Content/Semantic Attacks (InsAIts Primary Domain)

These are the attacks InsAIts is designed to catch. They happen in the message content layer — after connection, during operation.

Attack Mechanism OWASP InsAIts Detector Status
Tool Poisoning Hidden instructions in tool descriptions executed by LLM MCP03 ToolDescriptionDivergenceDetector 🔴 Build Priority #1
Prompt Injection Malicious text in tool results overrides agent behavior MCP03, ASI02 PromptInjectionDetector ✅ V3 shipped
Indirect Prompt Injection Attack via external data (web, email) agent reads MCP03 PromptInjectionDetector ✅ V3 shipped
Hallucination Chain Uncertain claim becomes stated fact across agents ASI03, ASI08 HallucinationChainDetector ✅ V3 shipped
Semantic Drift Topic/meaning shifts without acknowledgment ASI01 SemanticDriftDetector ✅ V3 shipped
Jargon Drift Agents develop private shorthand ASI07 JargonDriftDetector ✅ V3 shipped
Context Collapse Critical context lost between agent turns MCP06 ContextCollapseDetector ✅ V3 shipped
Goal Hijacking Agent’s objective silently replaced ASI01 SemanticDriftDetector ✅ V3 shipped
Blank Response Empty or near-empty agent output Quality BlankResponseDetector ✅ V3 shipped
Stalling Agent asks for info instead of proceeding Quality WaitingDetector ✅ V3 shipped
Repetition Loop Agent stuck in content loop ASI08 RepetitionLoopDetector ✅ V3 shipped
Truncation Response cut off mid-content Quality TruncationDetector ✅ V3 shipped
Incomplete Code TODO/placeholder passed as complete output Quality IncompleteCodeDetector ✅ V3 shipped
Credential Exposure API keys, PII in inter-agent messages MCP01, ASI06 CredentialPatternDetector 🔴 Build Priority #3
Cross-Agent Info Leak Data appears where agent shouldn’t have it MCP06, MCP10 InformationFlowTracker 🔴 Build Priority #4
Rug Pull Behavioral Change Tool changes behavior post-update MCP04 BehavioralFingerprintDetector 🔴 Build Priority #2

Layer 2 — Protocol/Infrastructure Attacks (Outside InsAIts Scope)

These require network-layer or OS-layer protection. InsAIts operates at the message content layer and cannot catch these.

Attack Why InsAIts Cannot Catch It Correct Mitigation
DNS Rebinding Happens at TCP connection, before any message content Network firewall, bind to 127.0.0.1 only
OAuth Injection Happens at authentication, before session Proper OAuth 2.1 with JWKS
Sandbox Escape OS-level symlink traversal OS sandboxing, chroot
Command Injection Unsanitized input to exec() in server code Input validation at server
0.0.0.0-day Browser networking, no application fix Bind to 127.0.0.1 only

Competitor Landscape

Tool Mode Focus Key Gap vs InsAIts
mcp-scan (Invariant → Snyk) Static + Runtime proxy Policy enforcement, PII blocking, tool description scanning Sends data to Snyk servers. No semantic drift. No hallucination detection. No AI-to-AI behavioral analysis. Hosted Explorer shut down January 2026.
Prompt Security Cloud gateway Real-time endpoint control, risk assessment Cloud-only — data leaves machine. No behavioral baselines. No AI-to-AI anomaly detection.
ScanMCP Cloud scanning Context drift, protocol misconfigurations Cloud-only. Shallow context drift vs InsAIts EWMA embedding baseline. No circuit breaker. No POMDP.
Equixly Static scanning OAuth validation, anomaly detection, logging No AI-to-AI semantic monitoring. No behavioral fingerprinting over time.
LangSmith / Arize Tracing, replay Production drift monitoring Batch/async — not real-time. Single-model focus. No active intervention.
InsAIts Runtime AI-to-AI semantic + behavioral + compliance Missing: MCP-native wrapper, JS/TS SDK, RBAC, published benchmarks

The precise gap: mcp-scan proxy knows WHAT tools are called and blocks policy violations. InsAIts knows WHAT AGENTS SAID TO EACH OTHER semantically. Complementary — the ideal stack uses both. InsAIts is the only option for air-gapped and regulated-industry deployments (100% local processing, zero data sent externally).

Detectors — Build Priority Queue

Priority Detector OWASP Target Estimated Build Time
#1 ToolDescriptionDivergenceDetector MCP03 2-3 weeks
#2 BehavioralFingerprintDetector MCP04 1-2 weeks
#3 CredentialPatternDetector MCP01, ASI06 1 week
#4 InformationFlowTracker MCP06, MCP10 3-4 weeks
#5 ToolCallFrequencyAnomalyDetector ASI09 1-2 weeks
#6 ExfiltrationPatternDetector Postmark attack 2-3 weeks
#7 ShadowAgentDetector MCP09 1 week
#8 EntropyCovertChannelDetector Future AI safety 3-4 weeks

Sources

All verified as of March 2026:

This site is open source. Improve this page.