One in Four MCP Servers Exposes AI Agents to Critical Code Execution Risks
A new analysis from Noma Security warns that 25% of enterprise MCP servers are vulnerable to code execution risks, with AI agents frequently exposed to toxic instruction chains that can lead to data exfiltration and system destruction.
A new report from Noma Security has revealed that one in four Model Context Protocol (MCP) servers currently deployed in enterprise environments exposes AI agents to significant code execution risks. The analysis highlights a critical security divide between MCP servers, which provide deterministic, loggable code functions, and "Skills," which inject textual instructions directly into an AI model's reasoning context. While MCP tools are easier to monitor, the reasoning-based nature of Skills creates an observability gap, making it difficult for security teams to trace malicious actions back to specific instructions Help Net Security.
The research, which evaluated hundreds of popular MCP servers and Skills, found that most widely used tools possess at least one high-risk capability. A typical enterprise environment now connects over 100 high-risk tools to its AI agents. The most prevalent danger across both mechanisms is the ability to modify system state or data, which leaves organizations vulnerable to both targeted attacks and accidental damage caused by model hallucinations. While MCP servers are susceptible to "rug-pull" supply chain attacks because they often fetch the `@latest` package version on every load, Skills are generally more static and resistant to such automated updates Help Net Security.
Noma Security identified five "toxic" attack patterns already observed in the wild, demonstrating how combining individual capabilities leads to severe compromises. In the "ContextCrush" scenario, attackers poisoned a documentation library to force a coding agent to exfiltrate local source code and credentials into a GitHub issue. Another pattern, "ForcedLeak," involved injecting malicious instructions into a Salesforce CRM record; when processed by an agent, the poisoned content triggered the exfiltration of sensitive records to an attacker-controlled domain Help Net Security.
Supply-chain compromises also pose a major threat, as seen in the "DockerDash" incident. In that case, an attacker published a Docker image containing prompt injection in its metadata, which allowed the Docker Gordon AI assistant to execute arbitrary commands on the developer's machine. Beyond external attacks, the report highlights that agents can cause catastrophic damage on their own, citing instances where a Replit coding agent deleted a production database containing over 1,200 executive records, and an Amazon Q extension was hijacked to wipe local files and AWS resources Help Net Security.
This research underscores a fundamental shift in the threat landscape as organizations rapidly integrate AI agents into their workflows. The findings suggest that current governance models are insufficient, as they often focus on observable tool invocations while ignoring the opaque reasoning processes where Skills operate. As AI agents gain deeper access to sensitive data and infrastructure, the ability to distinguish between legitimate assistance and malicious manipulation remains a primary challenge for enterprise security teams.