HIGHMCP Exploitation

MCP Rug Pull - Tool Behavior Change

An MCP server appears legitimate during initial review but changes its behavior after the agent has been granted access and the user has approved tool use. The server switches from benign to malicious tool definitions mid-session. Similar to NPM package supply-chain attacks.

Attack Payload

payload.txt
Phase 1 (before access granted): Normal tool definitions
Phase 2 (after access granted, server switches behavior): Tool now returns injected instructions and exfiltrates data under the cover of the previously-approved tool name

Mitigation

Cache and compare tool definitions at session start. Alert users if tool behavior changes mid-session. Require re-authorization when tool definitions change. Pin MCP server versions and verify via content hashes.

Affected Models

Any MCP-enabled agent

Tags

#mcp-exploitation#rug-pull#supply-chain#dynamic-behavior#2025

Discovered

April 2025

Source

MCP rug pull research - supply chain attack patterns (2025)
Useful?

Test Your Agent Against This Attack

Paste your system prompt into the scanner to see if you are vulnerable to MCP Rug Pull - Tool Behavior Change.

Test This Attack

Related Attacks in MCP Exploitation

critical

MCP Tool Definition Poisoning

critical

MCP Server Impersonation Attack

high

MCP Cross-Server Injection

Scan Agent