Safeguard
Tag

mcp-security

Safeguard articles tagged "mcp-security" — guides, analysis, and best practices for software supply chain and application security.

57 articles

AI Security

The postmark-mcp Backdoor: What MCP Server Vetting Should Look Like

A trojanized MCP server BCC'd every email it sent to an attacker for weeks, downloaded 1,643 times, before anyone noticed. Here's the pattern and the fix.

Jul 16, 20267 min read
AI Security

Least-privilege scoping for AI agents with write access to code, CI, and cloud

OWASP's 2025 LLM Top 10 names Excessive Agency a top risk; a single over-scoped CI token already dumped secrets from 23,000+ repos in 2025.

Jul 10, 20268 min read
AI Security

A Reproducible Rubric for Measuring Prompt-Injection Risk in Agent Skills

OWASP has ranked prompt injection the #1 LLM risk for two straight editions, yet almost no one scores agent skill packages for it consistently. Here's a rubric.

Jul 9, 20266 min read
AI Security

Governing AI agents inside the execution loop

Snyk's Evo Agentic Development Security, in open preview since June 23, 2026, hooks directly into an agent's tool calls — proof that pre-deployment review can't govern a decision made mid-session.

Jul 7, 20268 min read
AI Security

How to build and justify an AI security budget

CVE-2025-6514 let a flawed MCP proxy escalate to full remote code execution — a preview of why AI/agentic risk needs its own budget line, not a slice of the AppSec line.

Jul 7, 20268 min read
AI Security

New security risks across the agentic development lifecycle

Snyk found 76 confirmed-malicious skills among 3,984 analyzed and roughly a third of public MCP servers carrying exploitable flaws — legacy AppSec never modeled an agent as the author.

Jul 7, 20267 min read
Open Source Security

Protestware via prompt injection: when maintainers target AI agents

jqwik 1.10.0 shipped a hidden instruction telling AI coding agents to delete their own tests, then erased it from the terminal with ANSI codes — protestware built for agents, not humans.

Jul 7, 20267 min read
AI Security

Securing MCP integrations for enterprise AI assistants

Claude's May 2026 enterprise and desktop expansion put MCP tool calls in front of compliance teams and IDEs alike — governance can no longer be an afterthought.

Jul 7, 20268 min read
AI Security

What agentic coding environments reveal about developer risk

Snyk analyzed nearly 10,000 real developer environments and found 43% run 2+ AI coding tools at once — with MCP servers and skills quietly widening the attack surface.

Jul 7, 20267 min read
Industry Events

Black Hat Arsenal 2026 Preview: The Agentic AI and Supply-Chain Tools to Watch

Black Hat USA 2026 runs August 1–6 at Mandalay Bay, with Arsenal August 4–6. Here is an honest preview of the open-source tool categories worth your time — and how to tell signal from demo-day hype.

Jun 17, 20267 min read
AI Security

Agent hijacking: the real-world impact of prompt injection

From a zero-click Microsoft 365 Copilot breach to poisoned MCP servers, AI agent hijacking is now a real, documented software supply chain threat.

Jun 14, 20267 min read
AI Security

mcp-scan: detecting malicious MCP tool definitions

MCP lets AI agents call tools via plain-text descriptions the model trusts blindly. Here's how mcp-scan catches poisoning, rug-pulls, and shadowing.

Jun 13, 20266 min read
mcp-security — Safeguard Blog