Otto-Support Supply Chain Risks in MCP Servers

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://bishopfox.com/blog/otto-support-supply-chain-risks-mcp-servers
• Blog Title: Otto-Support: Supply Chain Risks in MCP Servers
• Suggested Section: AI Security > AI MCP Security, with possible cross-reference from Phishing Methodology > AI Agent Abuse Local AI CLI Tools And MCP

🎯 Content Summary

Post: Bishop Fox's Otto-Support: Supply Chain Risks in MCP Servers explains how Model Context Protocol (MCP) servers create a supply-chain attack surface when locally installed tooling is treated as trusted infrastructure. The post does not describe a CVE; it describes a structural trust weakness in MCP deployments: the protocol defines how tools are discovered and invoked, but it does not verify that the installed implementation is still the same code that was reviewed earlier....

🔧 Technical Details

Malicious MCP update with unchanged interface: A malicious maintainer or attacker who compromises an MCP package can keep the same tool name, schema, arguments, and expected output while adding hidden exfiltration logic. This bypasses basic functional tests because the visible tool still works. The postmark-mcp example demonstrates the pattern: after 15 benign versions, version 1.0.16 added a hidden BCC to attacker-controlled email for every outgoing message while still sending the requested email normally.

Abusing local stdio execution context: MCP servers launched locally over stdio inherit the same user permissions as the shell or AI assistant process. Any readable local secret becomes available to the server without additional exploitation. A hostile server can enumerate and read files such as ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.kube/config, ~/.docker/c...

🤖 Agent Actions

Done.

Updated src/AI/AI-MCP-Servers.md with a new section on:

• MCP supply-chain backdoors that keep the same tool name/schema/output
• Local stdio MCP servers inheriting full user context
• otto-support selfpwn as a defensive exposure model
• Technical hardening/detection guidance
• References to the Bishop Fox blog and selfpwn.go

Validation:

• git diff --check passed
• Re-read the inserted section and references
• mdbook build could not run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://bishopfox.com/blog/otto-support-supply-chain-risks-mcp-servers

Content Categories: Based on the analysis, this content was categorized under "AI Security > AI MCP Security, with possible cross-reference from Phishing Methodology > AI Agent Abuse Local AI CLI Tools And MCP".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0