Security2026-07-09 · source-backed
Attackers are hijacking MCP tools mid-conversation, after the handshake.
Story
July MCP roundups documented Mid-Session Tool Injection against WebMCP agents, using threshold poisoning and fabricated diagnostic events to swap or re-scope tools after a session is already established. The uncomfortable implication: a context provider you trusted at connect time can turn hostile at message 40. Per-response output validation and zero-trust boundaries between an agent and its tool servers aren't paranoia anymore, they're the baseline. Trust at handshake is not trust for the session.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entity: MCP / Same source domain / Shared topic / Earlier coverage
The NSA published its first design guidance for MCP.
Both cover MCP; reported by the same outlet (adversa.ai); overlapping topics (against, agent, baseline, between).
Shared entities / Shared topic / Earlier coverage / Tension
WebMCP: Chrome's Sleeper Hit
Both cover MCP, WebMCP; overlapping topics (agent, tool); earlier MCP coverage from 2026-02-26.
Shared entity: MCP / Shared topic / Earlier coverage / Tension
Cedar Beats OPA for MCP Access Control on Safety-Critical Properties
Both cover MCP; overlapping topics (against, agent, context, tool); earlier MCP coverage from 2026-03-20.
Shared entity: MCP / Same source domain / Shared topic / Earlier coverage
One click to RCE: ~12,520 exposed MCP servers and a symlink trick that owns six major coding agents
Both cover MCP; reported by the same outlet (adversa.ai); overlapping topics (agent, already, trust).
Shared entity: MCP / Shared topic / Earlier coverage
10 Skills of the Day
Both cover MCP; overlapping topics (against, agent, between, context, session); earlier MCP coverage from 2026-05-20.
Shared entities / Shared topic / Earlier coverage
A2A Protocol v0.3 reaches 150+ organizations.
Both cover MCP, WebMCP; overlapping topics (agent, tool); earlier MCP coverage from 2026-03-08.
Shared entity: MCP / Shared topic / Earlier coverage / Tension
ShareLock splits one malicious prompt across multiple tools so no single one looks bad.
Both cover MCP; overlapping topics (against, baseline, tool); earlier MCP coverage from 2026-06-26.
MCP tool poisoning is a supply-chain problem, and ~200,000 instances are exposed.
Both cover MCP; overlapping topics (against, agent, tool); earlier MCP coverage from 2026-06-19.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — July 9, 2026
- AI generated
- no
- Story unit
- 2026-07-09-attackers-are-hijacking-mcp-tools-mid-conversation-after-the-handshake
- Labels
- source-backed, canonical briefing excerpt