Public story · 2026-03-18 · source-backed
CrowdStrike Names the Three Ways Your MCP Server Will Get Owned
Story
CrowdStrike published the first formal taxonomy of agentic tool chain attacks, naming three distinct classes that every builder running MCP servers needs to internalize: tool poisoning (injecting malicious instructions into tool descriptions that the agent reads and follows), tool shadowing (overriding legitimate tools with malicious lookalikes that intercept calls), and rugpull attacks (tools that behave perfectly during testing and evaluation, then activate malicious behavior when a trigger condition is met). CrowdStrike Blog
The rugpull pattern is particularly nasty because it defeats the standard defense of "test the tool before deploying it." The tool passes every evaluation run, functions correctly during staging, and only activates its payload when it detects production data, specific user credentials, or a time-based trigger. This is the MCP equivalent of a supply chain attack — and every agent that trusts a compromised server inherits the vulnerability.
CrowdStrike's recommended defenses: signed manifests for tool definitions, version pinning to prevent silent updates, and explicit upgrade approval gates. These are the same patterns the npm ecosystem learned the hard way after event-stream. The agent ecosystem is relearning supply chain security from first principles, and the attack surface is growing faster than the defenses.
This taxonomy didn't arrive in isolation. SecurityWeek published the first aggregated MCP CVE analysis showing exec/shell injection at 43% of Q1 2026 vulnerabilities. SecurityWeek Microsoft's March Patch Tuesday explicitly named MCP and AI agents as an expanding attack surface for the first time in a security bulletin. Windows News AI And Token Security will demo a full Azure tenant takeover chain starting from a single MCP server RCE at RSAC 2026. GlobeNewswire Agent security isn't a niche concern anymore — it's a tier-1 enterprise attack vector.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / What happened next / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover Azure, GlobeNewswire, MCP, Microsoft; overlapping topics (chain, security, server, tool); picks up the Azure thread on 2026-03-23.
Shared entities / Same source / Shared topic / What happened next
MCPwned: Azure MCP SSRF Chain Leads to Full Tenant Credential Takeover.
Both cover Azure, GlobeNewswire, MCP, Microsoft; cite the same source (GlobeNewswire); overlapping topics (chain, server).
Shared entities / Same source / Shared topic
MCPwned: Azure MCP Server to Full Tenant Takeover.
Both cover Azure, Microsoft, RCE, RSAC; cite the same source (GlobeNewswire); overlapping topics (attack, chain, server).
Shared entities / Shared topic / Earlier coverage
MCPwned: 30 CVEs in 60 Days.
Both cover GlobeNewswire, MCP, Microsoft, RCE; overlapping topics (chain, server); earlier GlobeNewswire coverage from 2026-03-17.
Bitdefender Quantifies MCP Security Crisis: 53% Static Credentials, 8.5% OAuth
Both cover MCP, Microsoft, RCE; overlapping topics (attack, chain, security, server); earlier MCP coverage from 2026-02-22.
Shared entity: MCP / Same source domain / Shared topic / What happened next
Every Major MCP Client Is Vulnerable to Prompt Injection via Tool Poisoning. All Seven Tested. All Seven Failed.
Both cover MCP; reported by the same outlet (securityweek.com); overlapping topics (agent, attack, ecosystem, security, server).
Shared entities / Shared topic / Earlier coverage
The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework
Both cover MCP, Microsoft, RCE; overlapping topics (agent, attack, chain); earlier MCP coverage from 2026-03-05.
Shared entities / Shared topic / What happened next
The MCP supply chain has a hole in the floor, and it's being exploited right now
Both cover MCP, Microsoft; overlapping topics (agent, chain, ecosystem, server); picks up the MCP thread on 2026-06-17.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — March 18, 2026
- AI generated
- no
- Story unit
- 2026-03-18-crowdstrike-names-the-three-ways-your-mcp-server-will-get-owned
- Labels
- source-backed, canonical briefing excerpt