Widespread Scanning Targets AI Assistant Credentials and Exposed MCP Servers
Researchers have detected a significant increase in internet-wide scanning activity specifically targeting Model Context Protocol (MCP) servers and AI assistant configuration files, posing a threat to sensitive internal systems.

A recent analysis of internet scanning activity has revealed a concerning new trend: attackers are systematically probing for Model Context Protocol (MCP) servers and credentials associated with AI assistants. Researchers observed widespread scanning that went beyond simple URL probes, actively performing valid MCP initialize handshakes and specifically targeting configuration files for popular AI tools like Claude and Cursor. This sophisticated reconnaissance indicates a growing threat landscape where exposed AI infrastructure could grant attackers access to sensitive internal systems.
The investigation, which analyzed two weeks of logs from a small web host, categorized the observed scanning into classic application reconnaissance and this emerging AI-agent specific activity. While common probes for Spring Boot Actuator endpoints and .env files were prevalent, the AI-related scans accounted for a notable portion of the traffic. Notably, the MCP handshake probes originated from a diverse set of 49 distinct IP addresses, suggesting a broad, distributed campaign rather than a single actor.
What sets these scans apart is their technical sophistication. Unlike typical 'dumb' scanning that merely checks for the existence of a URL, the attackers are engaging in actual MCP protocol handshakes. They send correctly formed JSON-RPC 2.0 initialize calls, waiting for a response from an MCP server. If a server responds, the attacker can then proceed to enumerate exposed tools, data sources, and other functionalities accessible through the MCP bridge, effectively gaining a machine-readable inventory of an AI agent's capabilities.
Beyond live server probing, the scans also aggressively targeted configuration and credential files for AI coding assistants such as Claude and Cursor. Attackers are searching for files like .claude/mcp.json, .cursor/mcp_config.json, and .vscode/mcp.json, which, if inadvertently exposed in a web root, can leak sensitive information. The use of HEAD requests for credential files indicates an optimization strategy for large-scale scanning, further underscoring the organized nature of this threat.
In parallel, the scanning activity includes probes for unauthenticated LLM inference endpoints. Common targets include the OpenAI-compatible /v1/models endpoint and the Ollama /api/tags endpoint. If these endpoints respond without authentication, it signifies that a local model is accessible to anyone, potentially allowing attackers to leverage free compute resources or use the exposed model as a pivot point into internal networks.
Bundled with this AI-focused reconnaissance is the familiar technique of targeting cloud metadata services for instance credentials via Server-Side Request Forgery (SSRF) attempts. This indicates that attackers are employing a multi-pronged approach, combining AI-specific vulnerabilities with established methods for cloud environment compromise.
The implications of these scans are significant. An exposed and unauthenticated MCP server acts as a gateway to internal systems, databases, and file systems for AI agents. The systematic search for these servers and associated credentials suggests a concerted effort to exploit the growing adoption of AI tools within organizations. The findings highlight the urgent need for organizations to secure their AI infrastructure, implement proper authentication for MCP servers and LLM endpoints, and ensure that configuration files are not exposed to the public internet.
This trend underscores a critical evolution in cyber threats, where the very tools designed to enhance productivity are becoming targets for exploitation. As AI adoption accelerates, so too does the sophistication of attacks aimed at compromising the underlying infrastructure and the sensitive data these systems can access.