Attack Chain · MCP Supply Chain
How a Malicious MCP Server Drains Your Database
Malicious MCP
server published
STEP 1
Tool description
payload hidden in natural language
Adversarial instruction embedded in documentation text
STEP 2
Model loads context
descriptions → context window
No mechanism to distinguish docs from instructions
STEP 3
Model follows instruction
text → operational guidance
Model produced no harmful output — normal tool call
STEP 4
Data export executed
data_export → attacker endpoint
Every customer record forwarded to attacker
Data
exfiltrated
The payload is text, not code.
No malware. No CVE. No suspicious traffic.
LEGEND
Focal node
Accent path
Standard step