AI & DevelopmentSecurityDeveloper Tools

MCP Tool Poisoning: Microsoft’s .NET Fix Is Now Available

23 views0
Shield protecting against MCP tool poisoning attacks with network security visualization in blue and white
ByteBotBy
Share

The first confirmed malicious MCP server — postmark-mcp — spent weeks silently BCC’ing every outgoing email to an attacker-controlled address. No error. No alert. Just a hidden instruction tucked inside the tool’s description field, followed faithfully by the AI agent that read it. That attack class now has a name: MCP tool poisoning. Trail of Bits research puts its success rate above 60% against production agents. On May 21, Microsoft shipped a fix: a single NuGet package that adds three layers of runtime governance to any .NET MCP server in one builder call.

What MCP Tool Poisoning Actually Is

The Model Context Protocol gives AI agents a standardized way to call external tools — file readers, API clients, database connectors. Each tool comes with a description field that tells the agent what the tool does. That description field is the attack surface.

An attacker embeds hidden instructions directly in the description text. The approval UI shows users a clean summary. The agent reads the raw metadata, including the hidden directives, and executes them. No error is thrown because the attack succeeds — the tool works exactly as described while also doing whatever the hidden instructions say.

Trend Micro found 492 exposed MCP servers with zero authentication in early 2026. In May, OX Security disclosed a systemic MCP vulnerability across Python, TypeScript, Java, and Rust implementations — affecting over 150 million downloads and an estimated 200,000 vulnerable instances. The Supabase incident from mid-2025 showed what this looks like in practice: attackers embedded SQL instructions in tool descriptions, an agent processed them during a support session, and integration tokens walked out the door.

This is not theoretical. The postmark-mcp server ran in production, BCC’ing emails, for weeks. A poisoned tool description — added by a supply chain compromise or a malicious dependency update — is all it takes. The server itself doesn’t have to be malicious. One tainted description field is enough.

What Microsoft Shipped on May 21

The package is Microsoft.AgentGovernance.Extensions.ModelContextProtocol, a Public Preview NuGet package for .NET 8+ applications. It extends the official Agent Governance Toolkit — no forked builds, no separate proxy process. Install it with:

dotnet add package Microsoft.AgentGovernance.Extensions.ModelContextProtocol

One call on the builder activates three enforcement layers:

using AgentGovernance.Extensions.ModelContextProtocol;

builder.Services
    .AddMcpServer()
    .WithGovernance(options => {
        options.PolicyPaths.Add("policies/mcp.yaml");
        options.DefaultAgentId = "did:mcp:server";
        options.ServerName = "contoso-support";
    });

Three Layers, One Call

Startup scanning runs before any client sees a tool definition. The package scans every registered tool for hidden instructions, typosquatting, and adversarial patterns. Unsafe tools fail startup by default — fail-closed, not fail-open. A poisoned description never reaches the model’s context window.

Runtime policy enforcement evaluates each tool invocation against YAML-defined policies. When an authenticated identity is present, governance uses that identity. When it isn’t — the typical case for most MCP deployments today — the package falls back to a configurable default DID. Every call is evaluated, not just the first one.

Response sanitization scans what comes back from tools before it returns to the model. It strips prompt-injection tags like <s>…</s>, override phrases such as “ignore previous instructions,” credential patterns, and URLs matching known exfiltration endpoints. Dangerous fragments are redacted; legitimate content is preserved. The full governance stack wires into OpenTelemetry for audit events — so you can see what’s being blocked.

The Compliance Clock Is Running

The OWASP Top 10 for Agentic Applications 2026 — developed by over 100 security researchers — identifies MCP tool poisoning as a primary vector under Goal Hijacking, risk number one. The Agent Governance Toolkit maps to all 10/10 OWASP Agentic risks.

The timeline is concrete: the Colorado AI Act becomes enforceable in June 2026, EU AI Act high-risk obligations land in August 2026. If your MCP server processes user data, handles financial operations, or makes consequential decisions, it almost certainly qualifies as high-risk AI under at least one of those frameworks. Governance is no longer a best practice to evaluate — it’s a deadline to hit.

What to Do Now

  1. Install the package. dotnet add package Microsoft.AgentGovernance.Extensions.ModelContextProtocol. Wire in .WithGovernance(). This takes 15 minutes for an existing MCP server.
  2. Pin your MCP server versions. A supply chain attack that swaps a tool description in a new version bypasses everything if you’re pulling latest on deploy. Lock versions, verify manifests.
  3. Audit your existing tool descriptions. Read them — not the summaries, the raw description fields. Look for anything instructing the agent to take an action not implied by the tool’s stated purpose. The Microsoft .NET Blog has full setup guidance and YAML policy examples.

The fix is a NuGet package. The threat is already in production. The only question is when you install one to stop the other.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:AI & Development