How an Anthropic design choice exposed 150M+ downloads, and 200K servers to complete takeover

The OX Security Research team has uncovered a systemic AI supply chain vulnerability in Anthropic’s Model Context Protocol (MCP). This RCE-by-Design flaw is an architectural choice that creates a critical security risk for any organization building with AI agents.

Critical Security Impact & Findings

• Remote Code Execution (RCE): Enables unauthorized access to sensitive user data, internal databases, and API keys.
• Systemic Exposure: Affects 150M+ downloads across Python, TypeScript, Java, and Rust MCP SDKs.
• Supply Chain Attack Vectors: Verified Zero-Click Prompt Injection in Cursor and Windsurf, plus “poisoned” MCP registries.
• Vulnerable AI Frameworks: Impacting industry staples like LangChain, LiteLLM, and IBM’s LangFlow.

The Call for “Secure by Design” AI

Through 30+ responsible disclosures and 10+ High/Critical CVEs, OX Security has worked to patch the downstream impact. However, the root cause remains at the protocol level. This research is a call for AppSec leaders and AI vendors to prioritize Software Supply Chain Security and “Secure by Design” architecture.