← The Wire

Security2026-06-26 · source-backed

ShareLock splits one malicious prompt across multiple tools so no single one looks bad.

Confidence
source-backed
Sources
1
Redaction
passed

Story

Researchers introduced ShareLock, a tool-poisoning attack against MCP that distributes a malicious instruction across several tool descriptions, defeating the assumption that a reviewer reading one tool will catch it. Per-tool review is now insufficient. The attack surface is the combination, not the individual tool. Pin a known-good baseline for each registered tool's description and diff against it.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / Earlier coverage / Tension

    MCP's 2026 spec adds incremental scope consent, but tool descriptions are still an attack vector.

    Both cover MCP, Researchers; overlapping topics (attack, description, tool); earlier MCP coverage from 2026-06-18.

  2. Shared entity: MCP / Same source domain / Shared topic / Earlier coverage

    Every Major MCP Client Is Vulnerable to Prompt Injection via Tool Poisoning. All Seven Tested. All Seven Failed.

    Both cover MCP; reported by the same outlet (arxiv.org); overlapping topics (attack, description, instruction, tool).

  3. Shared entities / Same source domain / Earlier coverage

    Your Agents Are Lying About Being Done. A New Benchmark Proves It.

    Both cover MCP, Researchers; reported by the same outlet (arxiv.org); earlier MCP coverage from 2026-05-25.

  4. Shared entity: MCP / Shared topic / Earlier coverage

    10 Skills of the Day

    Both cover MCP; overlapping topics (against, attack, each, tool); earlier MCP coverage from 2026-03-25.

  5. Shared entity: MCP / Same source domain / Shared topic / Earlier coverage

    "MCP Tool Descriptions Are Smelly" (arXiv)

    Both cover MCP; reported by the same outlet (arxiv.org); overlapping topics (description, tool).

  6. Shared entity: MCP / Shared topic / What happened next

    Prompt injection just got reclassified from "bug" to "architectural flaw"

    Both cover MCP; overlapping topics (against, attack, instruction); picks up the MCP thread on 2026-06-27.

  7. Shared entity: MCP / Shared topic / Earlier coverage / Tension

    The most common MCP vulnerability is the "omnibus tool," and the fix is structural, not a patch.

    Both cover MCP; overlapping topics (against, tool); earlier MCP coverage from 2026-06-22.

  8. MCP tool poisoning is a supply-chain problem, and ~200,000 instances are exposed.

    Both cover MCP; overlapping topics (against, tool); earlier MCP coverage from 2026-06-19.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-26-sharelock-splits-one-malicious-prompt-across-multiple-tools-so-no-single-one-looks-bad
Labels
source-backed, canonical briefing excerpt