← The Wire

Security2026-07-09 · source-backed

Attackers are hijacking MCP tools mid-conversation, after the handshake.

Confidence
source-backed
Sources
1
Redaction
redacted

Story

July MCP roundups documented Mid-Session Tool Injection against WebMCP agents, using threshold poisoning and fabricated diagnostic events to swap or re-scope tools after a session is already established. The uncomfortable implication: a context provider you trusted at connect time can turn hostile at message 40. Per-response output validation and zero-trust boundaries between an agent and its tool servers aren't paranoia anymore, they're the baseline. Trust at handshake is not trust for the session.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entity: MCP / Same source domain / Shared topic / Earlier coverage

    The NSA published its first design guidance for MCP.

    Both cover MCP; reported by the same outlet (adversa.ai); overlapping topics (against, agent, baseline, between).

  2. Shared entities / Shared topic / Earlier coverage / Tension

    WebMCP: Chrome's Sleeper Hit

    Both cover MCP, WebMCP; overlapping topics (agent, tool); earlier MCP coverage from 2026-02-26.

  3. Shared entity: MCP / Shared topic / Earlier coverage / Tension

    Cedar Beats OPA for MCP Access Control on Safety-Critical Properties

    Both cover MCP; overlapping topics (against, agent, context, tool); earlier MCP coverage from 2026-03-20.

  4. Shared entity: MCP / Same source domain / Shared topic / Earlier coverage

    One click to RCE: ~12,520 exposed MCP servers and a symlink trick that owns six major coding agents

    Both cover MCP; reported by the same outlet (adversa.ai); overlapping topics (agent, already, trust).

  5. Shared entity: MCP / Shared topic / Earlier coverage

    10 Skills of the Day

    Both cover MCP; overlapping topics (against, agent, between, context, session); earlier MCP coverage from 2026-05-20.

  6. Shared entities / Shared topic / Earlier coverage

    A2A Protocol v0.3 reaches 150+ organizations.

    Both cover MCP, WebMCP; overlapping topics (agent, tool); earlier MCP coverage from 2026-03-08.

  7. Shared entity: MCP / Shared topic / Earlier coverage / Tension

    ShareLock splits one malicious prompt across multiple tools so no single one looks bad.

    Both cover MCP; overlapping topics (against, baseline, tool); earlier MCP coverage from 2026-06-26.

  8. MCP tool poisoning is a supply-chain problem, and ~200,000 instances are exposed.

    Both cover MCP; overlapping topics (against, agent, tool); earlier MCP coverage from 2026-06-19.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-07-09-attackers-are-hijacking-mcp-tools-mid-conversation-after-the-handshake
Labels
source-backed, canonical briefing excerpt