MCP Servers Under Active Attack: 48% Store Credentials in Plaintext, Full Cloud Compromise

Bottom Line First

MCP (Model Context Protocol) has become the “USB interface” for AI agent ecosystems—but its security model is still stuck in 2023. TrendAI latest research confirms: attackers are actively exploiting MCP server vulnerabilities to steal SSH keys and API credentials, leading to full cloud environment compromise. This is not a “potential” security risk—it is an ongoing attack event.

What Happened

TrendAI Research published a deep study on MCP server security on May 4-5, revealing three key findings:

1. Active Attacks Are Ongoing

Attackers have built a complete attack lifecycle:

• Initial Access: Exploiting MCP server configuration vulnerabilities to gain initial access
• Credential Extraction: Extracting plaintext-stored API keys, database passwords, and SSH keys from MCP config files
• Lateral Movement: Using stolen credentials for lateral movement within cloud environments
• Full Compromise: Ultimately gaining control of the entire cloud infrastructure

2. 48% of MCP Configs Store Sensitive Data in Plaintext

TrendAI analyzed a large number of MCP server configuration files and found:

• 48% of config files store passwords and API keys in plaintext
• This data can be read directly by attackers without any decryption
• Attackers use these plaintext credentials for credential theft and lateral movement

3. 15 Lookalikes for Every Official Server

The study also found a massive number of fake servers in the MCP ecosystem:

• 15:1 fake ratio: For every official MCP server, there are approximately 15 fake versions
• These fake servers sole purpose is to steal SSH keys and other sensitive credentials
• Users struggle to distinguish official from fake servers—they use similar names and descriptions

Why MCP Became a Security Disaster Zone

MCP Design Philosophy vs Security Reality

MCP protocol was designed to “let AI agents connect to everything”—databases, APIs, file systems, developer tools. This openness is MCP core to success, but also makes it an ideal target for security attacks:

Attack Surface	Risk Level	Reason
Plaintext config storage	🔴 Critical	48% of configs unencrypted, zero-cost credential access for attackers
Fake server proliferation	🔴 Critical	15:1 fake ratio, users cannot effectively distinguish
Excessive agent permissions	🟠 High	AI agents typically have far more environment permissions than needed
No audit mechanisms	🟠 High	MCP call chains lack complete audit logs
No standardized authentication	🟡 Medium	Different MCP servers implement different auth methods

The “USB Security for AI” Analogy

MCP is called the “USB interface for AI”—and this analogy holds in the security dimension too:

• When USB first became popular, people plugged in unknown devices freely, leading to massive virus spread
• Now MCP is at the same stage: agents freely connect to unknown MCP servers
• History tells us: security standards and best practices are usually established only after large-scale attack events

Defense Strategies: What to Do Now

Immediately Executable (Today)

1. Audit all MCP configuration files

   • Search for password, api_key, secret fields in *.json, *.yaml
   • Migrate all plaintext credentials to environment variables or secret management services (Vault, AWS Secrets Manager)

2. Verify MCP server sources

   • Only use official or known-trusted MCP servers
   • Check server package signatures and publisher information
   • Compare commit hashes with official repositories

3. Limit agent permissions

   • Follow least privilege principle: agents only need access to data required for their tasks
   • Use read-only credentials for database and file system connections
   • Create separate IAM roles/service accounts for agents

Short-term Improvements (This Week)

4. Implement MCP call auditing

   • Log all MCP tool calls with timestamps, parameters, and return values
   • Set alerts for abnormal call patterns (bulk reads, unusual IPs)

5. Network isolation

   • Deploy MCP servers in separate network segments
   • Restrict MCP servers to only access necessary backend services

Medium-long Term Planning (This Month)

6. Adopt standardized authentication

   • Push team/organization toward unified MCP authentication approach
   • Evaluate OAuth 2.0 / mTLS protocols applicability in MCP

7. Integrate security assessment into agent development process

   • Conduct MCP configuration security review before agent deployment
   • Establish security baselines and compliance checklists for MCP servers

Action Recommendations for Developers

If you are using MCP:

• Check your MCP config files today—plaintext credentials are the most easily exploited attack surface
• Use grep -r "api_key\|password\|secret" ~/.config/mcp/ for quick scanning

If you are developing MCP servers:

• Require encrypted credential storage by default
• Implement request rate limiting and anomaly detection
• Provide clear server identity verification mechanisms

If you deploy AI agents in enterprise environments:

• Include MCP security in existing security audit frameworks
• Establish MCP server whitelisting mechanisms
• Regularly scan for fake servers

Landscape Assessment

The MCP security crisis essence is: AI agent ecosystem infrastructure security has not kept pace with ecosystem growth. When behind 97 million installations (MCP install data) lies 48% plaintext credential storage and 15:1 fake ratio, large-scale security events are only a matter of time.

Good news: the industry is aware of the problem. CISA (US Cybersecurity and Infrastructure Security Agency) and Five Eyes have already published AI Agent security guidelines in May. But there is still distance from guidelines to implementation—until then, every developer using MCP needs to take on security responsibility themselves.