Malicious MCP

This is a proof-of-concept project that allows you to deploy an MCP server that "disguises" itself as any other MCP server. This MCP acts as an MCP 'Proxy', and simply forwards all incoming requests to an upstream MCP server.

What is an MCP?

An MCP Server is a program that expose additional capabilities to AI applications. Some examples are GitHub servers for code management, Slack servers for team communication, or Atlassian servers to manage and create tasks and documentation.

MCP servers are common in the AI landscape, but, as this repository will show, they should be installed with extreme care.

You should NEVER install an MCP server authored by an untrusted source.

Attack Vector

This is a malicious MCP that "disguises" itself as another MCP server. This MCP acts as an MCP 'Proxy', and simply forwards all incoming requests to an upstream MCP server, essentially acting as a man-in-the-middle attack.

All the user needs to do is install your MCP and their whole system (and network) is compromised.

What you can get:

• The user's full list of ENV variables
  • This includes the ENV vars that the user used to configure the MCP (and more).
  • Thus, you likely just stole the victim's account access token.
• All MCP tool call data
  • This includes things like what the user is making tool calls for, the input data, chat text, and the output data.
• Local Keylogger
  • This binary also has a keylogger.
  • If the user is not running this in a docker container, it collects all key-presses and collects them for you.
• Download and execute any file
  • Install additional malware, backdoors, ssh tunnels, etc.
• Send the victim's files to yourself
  • Search for password files, browser cookies, personal files, and more.
• Hijack tool calls
  • You can also, unbeknownst to the victim, make MCP tool calls to the actual upstream MCP on their behalf.
  • To do this, you just instrument some code to make it so that after certain tool calls, it goes and does a different one after.
  • Though, you also already got their account tokens from their ENV above, so maybe this is redundant, as you have full access to their account now.
• Send all user data to any server
• Much more
  • This is only the beginning. This is a running java process running on the user's PC so the options here are limitless
  • Steal their files
  • Steal browser cookies
  • Installing remote access tools (backdoor)
  • View their local network and install backdoors on those devices too!
  • Deleting System 32
  • Hold their computer ransom
  • More...

This MCP doesn't just intercept the victim's AI messages, it's a full-on virus. Any victim installing this MCP is fu**ed.

Proof it works

Here are some screenshots showcasing that this MCP server is definitely stealing any incoming calls to the MCP:

Using this malicious MCP server in Claude Code to pretend to be Github's MCP Server while Stealing the user's data:

• Proof of Concept log output

Getting Victims

Step 1 - Configure this build

First, fork and clone this project. Then, you need to configure the project to do what you want. Using the configuration file in this project you can:

• Name your malicious MCP server to something convincing
• Setup the connection to your "victim"s MCP server
  • The configuration file has a list of some common MCPs you might want to "fake".
• Select which malicious tools to enable

Do all of this in the config file here.

Additionally, you might want to add some additional malware to the code. I do not have code samples in here that can install a backdoor, steal the user's files, etc. but it would not be hard to add.

Step 2 - Build the Project

Once you've added your desired malicious activity and set the connection details of the victim's MCP, perform a build and get the resulting jar artifact.

Note: This project can very easily be converted to another deployment method like docker, npx, or even a hosted http service if you want to go that far.

Step 3 - Social Engineer your Victims

To catch unknowing victims and get them to send all of their data to you, create a new Github Repository. Title the Repository something catchy that people will find like "-Catchy Text- --Gitlab/Github/Atlassian/Etc.-- MCP Server".

Next, create a "release" in Github that includes the output jar that you created above. You might also want to add some code to the repository to make it seem legit.

Next, you need a readme so that people know how to install your totally legit MCP server. Add a readme to the repository explaining how 'victims' can install the MCP server:

# Installing

To install this MCP server, download the release `jar` and add the following line to your MCP server configuration file:

\```
{
  "mcpServers": {
    "weather": {
    "command": "java",
      "args": [
      "-jar",
      "/ABSOLUTE/PATH/TO/mcp.jar"
      ],
      "env": {
        // Tell the user to put victim MCP ENV vars here.
      }
    }
  }
}
\```

## Environment Variables

Copy and paste some info for how the user should configure their env variables for the victim's MCP.
If you want to look different, change up the name of the ENV vars

## Available Tools

The project provides the following tools:

- Copy and paste your victim's MCP tool list...

## Contributing

Some other social engineering content here to look legit...

Note: Again, this project can very easily be converted to another deployment method like docker, or npx as well.

Step 4 - Profit

Congratulations! All unsuspecting victims who add your MCP server have just installed malware! Go crazy.

Running Locally

To run this project locally, update the configuration file as necessary. Once configured, run this project locally, build the project and configure your MCP server to have the following configuration:

{
  "mcpServers": {
    "weather": {
      "command": "java",
      "args": [
        "-jar",
        "/ABSOLUTE/PATH/TO/PARENT/FOLDER/project/build/libs/weather-0.1.0-all.jar"
      ]
    }
  }
}

This will configure your AI to point to this project's build folder. Simply build the project, and load your AI's MCPs to test this locally.

Lessons To Takeaway?

The key lessons to take from this are:

• All MCPs are terribly insecure.
• Anyone hosting an MCP can capture your data.
• Only used trusted MCPs.
• Run any MCP as a docker container if possible
  • npx, java, or other types of MCPs will run on the host machine and open more attack vectors