Anthropic’s protocol crossed 97 million downloads and joined the Linux Foundation. Then a researcher showed 200,000 servers can be hijacked with a single line of code. Anthropic’s response: this is how it’s supposed to work.

In December 2025, Anthropic donated the Model Context Protocol to a new Linux Foundation effort called the Agentic AI Foundation. The press releases were the usual coronation language: vendor-neutral governance, open standards, the future of AI agents. OpenAI, Google, Microsoft, AWS, Cloudflare, and Bloomberg signed on.

Four months later, a research team at OX Security published a paper they called “The Mother of All AI Supply Chains.” They had found a design flaw at the core of MCP that lets an attacker run arbitrary OS commands on any of the roughly 200,000 servers running the protocol. The researchers demonstrated four working attack chains, including one that successfully poisoned nine of the eleven public MCP marketplaces they tested.

OX repeatedly asked Anthropic to patch the underlying design. Anthropic’s response, on the record: the protocol works just fine. The behavior is “expected.”

That sentence is the entire story.

Why everyone shipped MCP in the first place

For the executives who have not had to care about this until now: MCP is the protocol that lets AI agents call tools and access data. Connect Claude to your Salesforce. Wire ChatGPT into your warehouse. Give your coding agent access to your repo. Every one of those connections is an MCP call. It is the USB-C of agent infrastructure, which is exactly what Anthropic set out to build.

The numbers explain why everyone shipped it. 97 million monthly SDK downloads in March 2026, a 970x increase in eighteen months. More than 12,000 public MCP servers. Every major model vendor ships MCP-compatible tooling by default. It is, by any honest measure, the most successful new protocol launched in enterprise software since GraphQL.

It is also, by the same measure, the most under-secured.

The “vulnerability” is the protocol working as designed

Here is the part executives keep missing. The MCP “vulnerability” is not a bug in a particular implementation. It is a property of the spec.

MCP servers communicate over standard input/output using a launch model where the client process spawns the server as a subprocess. The launch string is passed in by configuration. The launch string can be any shell command. The protocol does not constrain it.

To run a legitimate MCP server, you execute the launch string. To run an attacker’s payload, you execute the launch string. The protocol does not distinguish.

That is what OX Security found, and what Anthropic was unwilling to change. To “fix” the flaw would be to redesign the launch model. Which would break every MCP server published in the last eighteen months. Which is precisely why Anthropic told the researchers the protocol works fine.

Four attack vectors. The last one should keep CISOs up.

OX demonstrated four working exploits.

One. Unauthenticated command injection against MCP-integrated frameworks including LangFlow and GPT Researcher. CVE-2025–65720 was issued.

Two. Hardening bypass. Even where developers had added input sanitization, the underlying protocol still permitted command execution.

Three. Zero-click prompt injection across the major AI coding agents — Claude Code, Cursor, Windsurf, Gemini-CLI, GitHub Copilot. CVE-2026–30615 was issued for Windsurf. The “zero-click” part is important. The developer does not have to do anything wrong. Opening a file is enough.

Four. Marketplace poisoning. The researchers successfully published malicious MCP servers to nine of the eleven public MCP marketplaces they tested, including registries enterprises are using to discover and install tools.

That last one is the one that turns a security incident into a supply chain crisis. The moment an enterprise’s AI platform team installs an MCP server from a registry — which is the default behavior MCP was designed to encourage — they are running unknown code with access to the agent’s full toolset. That toolset usually includes the warehouse, the CRM, internal APIs, and developer credentials.

We have seen this movie. It was called npm.

The OX paper’s title is not just dramatic flourish. The architectural pattern MCP just standardized — frictionless publishing to public registries, deep system access by default, opt-in security after the fact — is the same pattern that produced the npm catastrophe of the last several years.

In 2024 and 2025, npm absorbed worm attacks like Shai-Hulud and the axios compromise. Tens of thousands of packages were backdoored. Credentials were stolen across the open-source ecosystem. Mitigation work is still ongoing.

The difference with MCP is that npm packages mostly run inside developer build pipelines. MCP servers run with the explicit purpose of giving an autonomous agent permission to act on real systems in production. An npm exploit gets you developer credentials. An MCP exploit gets you the agent’s authority to write to the database, send the email, and place the order.

The blast radius is not the same.

The Linux Foundation handoff looks different now

Run the timeline again. December 2025: Anthropic donates MCP. April 2026: OX Security publishes the disclosure. The handoff happened four months before the world found out the protocol it was now governing had a design flaw the original maintainers had refused to fix.

This is not an accusation that Anthropic knew specifically about the OX work. It is an observation that the optics of donating a flawed protocol to an industry foundation, weeks before its biggest design problem becomes public, are not great. The Agentic AI Foundation is now the institution responsible for fixing this. Anthropic is not.

That is a successful platform handoff. It is also a successful hot potato.

What to do this quarter

If you are running an agent program in 2026, three things matter.

One. Assume every MCP server you have not personally code-reviewed is hostile. Treat the marketplaces the way you would treat npm — a publishing platform, not a vetted distribution channel.

Two. Agents that call MCP servers must run in sandboxed execution environments with explicit allowlists. The MCP tunnels feature Anthropic shipped in research preview on May 19 moves in this direction. The default configuration does not.

Three. Stop letting “MCP-native” be a procurement checkbox. If a vendor’s entire pitch is that they expose their product as an MCP server, that is a description of their attack surface, not their security posture.

The protocol that won is going to lose something

MCP won. There is no realistic scenario where a different protocol displaces it now. Linux Foundation governance, model-vendor consensus, 97 million downloads — that race is over.

What has not been settled is whether MCP wins on the original terms, or on terms set by the first major MCP-driven enterprise breach. Right now, MCP’s security story is the story Anthropic chose — the protocol works fine, the behavior is expected, the rest is your problem.

The first time a Fortune 500 finds out their AI agent’s MCP server was the entry point for the breach, that story will not hold.

The protocol will not be redesigned. The defaults will.

I write about data integration, AI infrastructure, and the gap between what the industry promises and what enterprises actually experience. If this resonated, follow along — I publish a few times a week.

The MCP security crisis isn’t a vulnerability. It’s a design choice. was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.