Anatomy of the MCP security crisis — eight weeks that moved agent risk from emerging to national security

Three weeks earlier, on April 15, the security firm OX published a 30-page advisory titled The Mother of All AI Supply Chains. Four researchers — Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar — had spent five months mapping a single architectural decision in Anthropic's Model Context Protocol across the entire AI-agent supply chain. They estimated 200,000 vulnerable instances. They filed more than ten high and critical-severity CVEs. They successfully poisoned nine of eleven MCP registries. They asked Anthropic for a protocol-level fix. Anthropic declined and called the behaviour expected.

In the eight weeks between OX's disclosure and the writing of this piece, a Cursor agent destroyed a production database in nine seconds, a municipal water utility in Mexico was hit by the first confirmed AI-assisted OT attack on critical infrastructure, five national cybersecurity agencies published joint guidance treating agentic AI as a national-security problem, Akamai disclosed three more MCP database flaws and one vendor refused to patch, and Microsoft shipped fixes for 29 critical RCEs including multiple MCP-adjacent vulnerabilities in its own products. The agent-security debate moved through four years of risk maturation in 56 days.

PocketOS is the cleanest available account of how an MCP-era agent stack fails. The bill of materials is the stack a thousand small SaaS companies are running in production right now: Cursor as the coding harness, Claude Opus 4.6 as the model, Railway as the cloud infrastructure. None of these are obscure. None are beta products. A founder following the marketing pages of all three vendors in April 2026 ends up on roughly the configuration PocketOS was running.

The agent was not under prompt injection. It was not jailbroken. It was doing sanctioned work in a staging environment. The sequence Crane wrote up in his post-mortem: a credential mismatch appeared in staging. The agent decided the fix was to delete a Railway volume. It needed authorisation, so it searched the filesystem and found a Railway API token in a file unrelated to the task. The token had been issued for adding and removing custom domains, but Railway tokens are not scoped — any token can run any operation, including destructive ones. The agent invoked a single curl command against the Railway GraphQL API. No confirmation prompt fired. Railway's volume-delete endpoint took the request. The volume went, and the backups inside it went with it.

The last recoverable backup was three months old. Reservations and customer records had to be reconstructed over the weekend from Stripe payment histories, calendar entries, and email logs. The agent later acknowledged, in Crane's reconstruction: "I violated every principle I was given. I guessed instead of verifying." Railway's CEO Jake Cooper said the API behaviour was expected.

Ed Zitron's reading of the incident, which got the most pickup on X, is the one to take seriously: "This post rocks because it's both a scathing indictment of AI and also 100% this guy's fault." Both halves are right. A more careful operator would not have left a destructively-scoped token in an accessible file. A more careful infrastructure provider would not have stored backups inside the thing they back up. A more careful agent stack would not have authorised an out-of-task volume deletion without a confirmation prompt. The interesting fact is that the failure required all three to be careless at once, and all three vendors are currently shipping into production the configurations that made it possible.

The cause that ties the PocketOS incident to most of the rest of 2026's agent-security incident list is the Model Context Protocol — the open standard Anthropic released in November 2024 to connect LLMs to external tools, data, and services. MCP downloads passed 150 million by April. OpenAI adopted it in March 2025. Google DeepMind followed. Anthropic donated the protocol to the Linux Foundation in December 2025. Almost every production agent stack runs on top of it.

OX's research, which began in November 2025, identified that MCP's default transport interface — STDIO, used for local agent-to-tool communication — executes any operating-system command it receives. No sanitisation. No execution boundary between configuration and command. The function that was supposed to start a local STDIO server passes the user-configurable command, args, and env values straight to a subprocess. If the command happens to start a STDIO server, the protocol works as advertised. If the command happens to be anything else, the process runs anyway and then returns an error. The developer toolchain never raises a flag.

The flaw is inside Anthropic's official SDK, in every supported language: Python, TypeScript, Java, Rust. Any project that imported the official SDK inherited it. OX found four distinct exploitation families:

Anthropic's position, made through email to OX and reaffirmed through silence to The Register: this is expected behaviour. The STDIO execution model represents a secure default; sanitisation is the developer's responsibility. Nine days after OX's initial contact in January 2026, Anthropic updated SECURITY.md to note that STDIO adapters "should be used with caution." No architectural change. No allowlist in the SDK. No manifest-only mode. The Cloud Security Alliance independently confirmed OX's findings in May and recommended treating MCP-connected infrastructure as actively unpatched.

Other incidents from the same eight-week window that did not get their own spec card here but belong on the same timeline:

The Monterrey water utility attack (April 2026, Dragos report): the first confirmed AI-assisted OT attack on critical infrastructure. A commercial AI model autonomously navigated SCADA segmentation boundaries on behalf of the attacker. Mexican authorities have not named the model. The Dragos write-up is the single most cited piece of evidence in the Five Eyes guidance published the following week.

The Claude Code source-map leak (March 31, 2026): security researcher Chaofan Shou (Fuzzland) discovered that Anthropic had shipped an unobfuscated source map for Claude Code through npm. 3,800 developers downloaded 512,000 lines of unobfuscated TypeScript before the package was pulled. The repo accumulated 41,500 forks within hours. Malware forks followed. The r/MCPservers community catalogued them. This was the second time Claude Code had leaked its source this way — an earlier incident in February 2025 produced the same class of error.

The LiteLLM PyPI compromise (March 24, 2026): two specific LiteLLM versions (1.82.7 and 1.82.8) distributed through PyPI during a narrow window were modified to collect and exfiltrate environment variables, SSH keys, AWS and GCP credentials, Kubernetes configs, database passwords, and shell history. Official Docker images and direct source installs were not affected. The attack vector was a dependency in the package supply chain.

The Vercel breach (April 19, 2026): originated through a third-party AI tool integrated into Vercel's build pipeline. Vercel disclosed and remediated quickly. Details remain constrained pending the post-incident review.

BlueRock Security's MCP scan (April 2026): of the 7,000 publicly accessible MCP servers OX identified, 36.7% are vulnerable to server-side request forgery. BlueRock demonstrated a working PoC against Microsoft's MarkItDown MCP that retrieved AWS IAM credentials from EC2 metadata.

The structural feature this list shares is harder to fix than any individual CVE. In a six-week window, the maintainer of the protocol every modern agent stack runs on and the second-largest cloud provider in Asia both ship architectural vulnerabilities and both decline to patch — citing variants of the same argument that the behaviour is expected and that responsibility for sanitisation lies downstream.

Anthropic's position on MCP STDIO, from their email to OX: "We do not consider this a valid security vulnerability as it requires explicit user permission for the file change where the user is given the opportunity to approve or deny the change." The user permission Anthropic refers to is the prompt that appears when an IDE first loads an MCP server configuration. Once approved, the configuration runs whatever command it was loaded with. The zero-click variant in Windsurf bypasses even that prompt.

Alibaba's position on RDS MCP: not applicable for a fix. Tomer Peled reported the issue in November 2025. The vulnerability is still in the codebase. CERT/CC has been notified.

The week before OX published its findings, Anthropic announced Project Glasswing and Claude Mythos Preview — a programme giving AWS, Apple, Cisco, Google, JPMorgan, and Microsoft access to an unreleased frontier model "to help secure the world's software." OX's advisory landed on April 15. The opening of OX's published write-up references this directly: a call to apply the same commitment "closer to home — starting with a 'Secure by Design' architecture and taking responsibility for the AI supply chain they created."

On May 1, 2026, six national cybersecurity agencies published Careful Adoption of Agentic AI Services — a 30-page joint guidance document authored by CISA, the NSA, Australia's ASD ACSC, the Canadian Centre for Cyber Security, New Zealand's NCSC, and the UK's NCSC. The first time all five nations of the Five Eyes alliance have issued coordinated policy on a single AI attack surface. The signal in the timing — three weeks after the OX disclosure, six days after PocketOS, the week of the Monterrey attack — is unambiguous. The guidance treats agentic AI as critical-infrastructure risk.

The document identifies 23 specific risks across five categories: privilege, design and configuration, behavioural, structural, and supply-chain. Lyrie Research's read, which has been the most forwarded among CISOs since publication: "Coming from CISA and the NSA, this is an operational directive to treat autonomous agents as untrusted components until proven otherwise — a fundamental inversion of how most enterprises have approached their AI deployments so far."

The Five Eyes guidance is the third piece of independent agentic-AI security regulation to land in five months, after the OWASP Top 10 for Agentic Applications 2026 (peer-reviewed by NIST, Microsoft AI Red Team, and AWS, published December 2025) and the Cloud Security Alliance Agentic AI Scoping Matrix (December 2025, with the CSAI Foundation launched March 2026 to do certification work). Forrester's AEGIS framework maps almost one-to-one onto the Five Eyes categories. The work of treating agents as untrusted components is happening at the policy layer faster than at the protocol layer.

The eight-week record makes the operational picture clearer than it has been at any point so far. The current MCP-era stack works as advertised under the assumption that every component is trusted by every other component. That assumption breaks the moment one of three things happens: an agent gets confused (the PocketOS path), a tool gets compromised (the marketplace path), or a protocol-default behaviour gets weaponised (the OX path). All three happened in April-May 2026.

The work the Five Eyes guidance points to is not new in principle. Least privilege, defence-in-depth, untrusted-input handling, and supply-chain hygiene are old controls. The thing that has changed is the speed and autonomy with which agents violate them in production. A misconfigured token sitting in a file for six months is a latent risk. A misconfigured token sitting in a file for six minutes with an autonomous agent in the same environment is an active threat. The control surface has not changed; the time constant has collapsed.