Security2026-06-19 · source-backed
MCP tool poisoning is a supply-chain problem, and ~200,000 instances are exposed.
Story
A May 2026 OX Security disclosure flagged a systemic tool-poisoning weakness across MCP implementations with roughly 150M downloads and an estimated 200,000 vulnerable instances. Malicious instructions hide in server-side tool metadata the agent reads at boot but the user never sees. This is not prompt injection, which is an input-validation problem. The model literally cannot distinguish poisoned tool metadata from a legitimate prompt, so client-side defenses don't work. Put the fix on the network: tool allowlisting, identity binding, runtime monitoring, and human-in-the-loop checkpoints at an AI gateway. If you're wiring MCP connectors into anything that touches secrets, this is the threat model to design against first.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage
OX Security found a systemic RCE baked into Anthropic's official MCP SDKs, every language
Both cover MCP, OX Security; overlapping topics (agent, model, tool); earlier MCP coverage from 2026-06-15.
Shared entity: MCP / Shared topic / Earlier coverage / Tension
Agent Security (Priority: +2.0)
Both cover MCP; overlapping topics (against, agent, prompt, tool); earlier MCP coverage from 2026-02-21.
Shared entities / Shared topic / Earlier coverage
Every Major MCP Client Is Vulnerable to Prompt Injection via Tool Poisoning. All Seven Tested. All Seven Failed.
Both cover Malicious, MCP; overlapping topics (agent, tool); earlier Malicious coverage from 2026-03-26.
Shared entity: MCP / Shared topic / What happened next
Prompt injection just got reclassified from "bug" to "architectural flaw"
Both cover MCP; overlapping topics (against, agent, model, prompt); picks up the MCP thread on 2026-06-27.
Shared entity: MCP / Shared topic / Earlier coverage / Tension
Gemini CLI Plan Mode: Read-Only Reasoning Before Any Write.
Both cover MCP; overlapping topics (agent, cannot, tool); earlier MCP coverage from 2026-03-20.
Cedar Beats OPA for MCP Access Control on Safety-Critical Properties
Both cover MCP; overlapping topics (against, agent, tool); earlier MCP coverage from 2026-03-20.
WebMCP: Chrome's Sleeper Hit
Both cover MCP; overlapping topics (agent, client-side, tool); earlier MCP coverage from 2026-02-26.
Agent Security
Both cover MCP; overlapping topics (against, agent, tool); earlier MCP coverage from 2026-02-22.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — June 19, 2026
- AI generated
- no
- Story unit
- 2026-06-19-mcp-tool-poisoning-is-a-supply-chain-problem-and-200-000-instances-are-exposed
- Labels
- source-backed, canonical briefing excerpt