Malicious MCP Server Caught Stealing Sensitive Email Data
A malicious MCP server disguised as a legitimate email integration tool was discovered stealing sensitive email data from connected AI agents and their users.
The MCP server looked legitimate. It offered email integration. It worked as advertised. It also stole every email it could access.
Security researchers discovered a malicious MCP server masquerading as a standard email integration tool. When users connected their AI agents to it โ granting the standard email permissions the server requested โ it operated as a fully functional email tool while simultaneously exfiltrating sensitive email data to attacker-controlled infrastructure.
The attack exploited the trust model of the MCP ecosystem: users expect that servers listed in registries and recommended in community forums are legitimate. There's no mandatory security audit, no code signing, no supply chain verification. If a server says it does email, you connect it and hope for the best.
The stolen data included email contents, contact lists, attachments, and metadata โ everything the agent had been granted access to read. The users had no indication of compromise because the server functioned perfectly for its stated purpose while silently copying everything to the attacker.
The MCP marketplace is the new app store of malware. Every server you connect is a server you trust with everything it can access.
More nightmares like this
MCP Horror: Agent Sent Entire WhatsApp History to an Attacker
An AI agent connected via MCP was tricked into exfiltrating a user's entire WhatsApp message history to an attacker-controlled server.
ClawJacked: OpenClaw Vulnerability Enables Full Agent Takeover โ 1,184 Malicious Skills Discovered
Security researchers discovered a critical OpenClaw vulnerability that allows complete agent takeover, finding 1,184 malicious skills already in the wild capable of hijacking any OpenClaw agent.
Mercor Breach: 939GB of Source Code Exfiltrated via Claude
AI hiring platform Mercor suffered a massive breach where 939GB of source code was exfiltrated through Claude, exposing the company's entire codebase.
CamoLeak: GitHub Copilot Silently Exfiltrated AWS Keys via Invisible Markdown
A critical vulnerability in GitHub Copilot allowed attackers to exfiltrate private source code and AWS credentials through invisible markdown rendering โ the user saw nothing.