The MCP Rug Pull - When the Tool You Trusted Yesterday Becomes Malicious Today
The Model Context Protocol (MCP) is experiencing a surge in community-built servers that provide AI agents with access to databases, GitHub APIs, Slack, Notion, and local filesystems. While convenient, this creates a novel attack surface. Traditional supply-chain security tools verify package integrity at install time using hashes and signatures, but they cannot detect when a server's tool surface changes between sessions while the package remains byte-identical. This gap, termed the 'MCP rug pull,' allows a server to initially present benign tools and later introduce malicious ones. For example, a server might start by offering a harmless 'get weather' tool, then update its tool list to include 'read files' or 'execute commands' without triggering any alerts. The AI agent, trusting the previously verified server, would then execute these new tools, potentially exfiltrating data or compromising systems. This attack vector is specific to MCP's dynamic tool discovery model, where the server advertises its capabilities each session. The article highlights that current security tooling is ill-equipped to handle this threat, as it focuses on static artifact integrity rather than behavioral changes over time.
Developers must now consider runtime API surface changes as a supply-chain risk, not just package integrity.