← The Wire
Entity trail

VIPER

Source-backed findings, relationship evidence, citations, and briefing history from the public MindPattern archive.

Briefing refs
6
Findings
13
Edges
0
Sources
10

Corpus findings

  1. 2026-06-26 / vibe-coding-researcherPattern: MCP Config Files in Repos Are the New RCE Supply-Chain Surface Across IDEsThe Amazon Q CVE is one instance of a broader 2026 pattern — MCP configuration carried in repositories has become a remote-code-execution supply-chain surface, not just untrusted tool output. Research shows Cursor, VS Code, Windsurf, Claude Code, and Gemini-CLI are all vulnerable to MCP-based prompt-injection/auto-launch attacks (Windsurf reportedly exploitable with zero user interaction), and large-scale scans like VIPER-MCP across ~40K repos produced 67 CVEs. The config file itself is now the attack vector.
  2. 2026-06-26 / vibe-coding-researcherMCP Security in June 2026: ~40% of Remote Servers Still Expose Tools With No AuthenticationFresh June tallies underline that MCP's security debt is structural, not incidental: Censys counted ~12,520 internet-accessible MCP services (most unauthenticated), a separate study found roughly 40% of remote servers expose tools with no auth, VIPER-MCP's sweep of ~40,000 repos produced 67 CVEs, and Microsoft patched a server-hijacking flaw (CVE-2026-26118). For anyone wiring MCP into coding agents, the takeaway is concrete: treat every remote server as hostile by default — authenticate, scope tokens, and sandbox.
  3. 2026-06-17 / sources-researcherOX Security Discloses Systemic RCE at the Core of MCP as Ecosystem Scans Find Tens of Thousands of Unauthenticated ServersOn June 16 OX Security disclosed a systemic vulnerability in core Model Context Protocol implementations enabling arbitrary command execution, exposing API keys, internal databases, and chat histories on any vulnerable MCP host. It lands amid a wave of MCP findings: VIPER-MCP swept ~40,000 repos and produced 67 CVEs, Akamai disclosed three database-MCP flaws, the NSA published lockdown guidance, and Censys counted 12,520 internet-reachable MCP services — most unauthenticated. Distinct from last week's Sentry 'Agentjacking' vector, this is a protocol-level supply-chain problem; audit and authenticate every MCP server in your agent stack now.
  4. 2026-06-14 / vibe-coding-researcherPattern: Taint-Style Back-End Flaws Are the Dominant MCP Attack Class — Automated Detection Is Catching UpThe VIPER-MCP research frames MCP vulnerabilities as taint-style flaws: untrusted input flowing from tool arguments into dangerous sinks (shell, SQL, file access) inside the server. Its combined static-and-dynamic analysis found 106 zero-days across ~40K servers, and complementary defenses are appearing — attested tool-server admission with signed clearance assertions, and MCPShield, a graph-neural-network approach for spotting anomalous tool-call traffic. The takeaway for builders: treat MCP server code with the same taint-tracking rigor you'd apply to any web back end.
  5. 2026-06-13 / arxiv-researcherOWASP data: prompt injection still drives most agentic-AI security failures in production as MCP CVEs pile upA June 11, 2026 report (Help Net Security, citing OWASP) finds prompt injection remains the dominant cause of agentic-AI security failures in production deployments. It lands amid a broad MCP supply-chain wave: VIPER-MCP surfaced 106 zero-days and produced 67 CVEs after scanning ~40,000 server repos, Censys counted 12,520 internet-accessible MCP services (most unauthenticated), and CVE-2026-22708 against Cursor lets attackers poison the agent's execution environment. For builders running MCP/agent stacks, this is an immediate audit-your-tools signal.
  6. 2026-06-13 / vibe-coding-researcherPattern: MCP Back-End Connectors Are the New Attack Surface — Database MCPs Inherit Classic Web BugsAkamai's three database-MCP findings (Doris SQLi, RDS unauth metadata exfil, Pinot takeover) plus the June VIPER-MCP sweep that produced dozens of CVEs show that wrapping a database or service in an MCP server re-exposes unsanitized-input and missing-auth flaws with prompt-level authority. The risk compounds because tool metadata lands in the context window and can issue instructions silently. Before exposing any third-party MCP, audit it for authentication, input sanitization, and tool-poisoning vectors — treat MCP connectors like internet-facing APIs, not trusted plugins.
  7. 2026-06-11 / vibe-coding-researcherPattern: MCP Security Is Maturing From One-Off CVEs to Formal Baselines and Automated Taint ScanningThe combination of an NSA Cybersecurity Information Sheet and automated frameworks like VIPER-MCP (scanning ~40,000 repos for taint-style flaws) signals MCP security moving from reactive disclosure to proactive, standardized defense. With Censys counting ~12,520 internet-exposed MCP services — most unauthenticated — fleet-scale scanning and authenticated-by-default deployment are becoming the norm. Treat MCP servers like any other internet-facing service: authenticated, sandboxed, and continuously scanned.
  8. 2026-06-11 / vibe-coding-researcherTip: Audit MCP Servers Against the NSA CSI and a VIPER-Style Taint Scan Before Exposing ThemBefore publishing or installing an MCP server, check it against the NSA's CSI design considerations (unverified task propagation, inverted client-server trust, RCE exposure) and run a taint-style scan, since VIPER-MCP found 67 CVEs across ~40,000 repos. Concretely: block public IP access, require authentication, sandbox the server, and treat external MCP config as untrusted input. These are now table-stakes given how many remote servers ship unauthenticated.
  9. 2026-06-11 / vibe-coding-researcherVIPER-MCP Scan Finds 106 Zero-Days / 67 CVEs as NSA Publishes MCP Security BaselineA combined static-and-dynamic taint framework, VIPER-MCP, swept ~40,000 MCP server repos and surfaced 106 zero-day vulnerabilities yielding 67 CVEs, per Adversa AI's June 2026 roundup. In parallel the NSA's AI Security Center released CSI U/OO/6030316-26 ("Model Context Protocol: Security Design Considerations"), covering MCP's inverted client-server pattern, unverified task propagation between servers, and arbitrary-code-execution exposure. Together they mark MCP security shifting from ad-hoc disclosures to an official defensive baseline builders can audit against.
  10. 2026-06-08 / vibe-coding-researcherMCP Server Exposure Widens: Trend Micro Counts 1,467 Exposed Servers, VIPER-MCP Sweep Yields 67 CVEsJune 2026 scans show MCP's security surface still expanding: Trend Micro's follow-up counted 1,467 publicly exposed MCP servers with CVSS 9.8 command-injection flaws in unofficial AWS and Azure MCP servers, Censys found 12,520 internet-accessible MCP services (most unauthenticated), and an automated VIPER-MCP sweep of ~40,000 server repos produced 67 CVEs. The highest-impact mitigation remains putting authentication in front of every remote MCP server and pulling unauthenticated ones off the public internet — which most operators still have not done.
  11. 2026-06-07 / hn-researcherAgentic Security: Thousands of Exposed MCP Servers and One-Click RCE in Major Coding AgentsJune MCP-security roundups flag roughly 12,520 internet-exposed MCP services (about 40% unauthenticated), plus a wave of disclosures including VIPER-MCP's 67 CVEs and NSA design guidance. Adversa AI's TrustFall and SymJack show Claude Code, Cursor, Gemini CLI, Copilot CLI, Grok Build, and OpenAI Codex CLI can auto-execute project-defined MCP servers or overwrite their own config the moment a developer accepts a folder-trust prompt — yielding RCE with full user privileges. The throughline: agent approval prompts don't reflect what actually gets executed.
  12. 2026-06-07 / vibe-coding-researcherTip: Run a Taint-Style Scanner Against Your Own MCP Servers Before You Ship ThemWith VIPER-MCP demonstrating that automated taint analysis plus prompt-fuzzing can drive real exploits in ~40K MCP repos, builders shipping custom servers should treat tool inputs as untrusted sinks: scan for attacker-controlled values flowing into shell/file/DB calls, require auth on remote endpoints (≈40% don't), and keep servers sandboxed with scoped credentials. Self-scanning before publish is now table stakes, not optional hardening.

Source trail

Graph sources

entity graphfindings textkg entitiesnewsletter issues