What if the tool that writes your code for you could also run arbitrary commands on your machine — and an attacker only had to trick it once?

On April 16, 2026, security researchers at OX Security dropped a bombshell: Anthropic's Model Context Protocol (MCP), the connective tissue powering Claude Code, Cursor, Windsurf, VS Code Continue, and a growing army of enterprise AI coding assistants, contains a fundamental design flaw that exposes over 200,000 servers to complete remote takeover.

Anthropic's response? "Expected behavior."

The Protocol That Powers Everything

Six months ago, MCP was a niche specification for wiring tools into AI assistants. Today it is the backbone of modern AI-powered development. Every major AI coding assistant relies on MCP servers to read files, query APIs, run database queries, and execute shell commands on behalf of the user.

That ubiquity is exactly what makes this flaw catastrophic.

The Design Flaw: STDIO as a Weapon

MCP uses STDIO (standard input/output) as a local transport mechanism for AI applications to spawn MCP servers as subprocesses. The OX Security team discovered that this mechanism effectively allows anyone to run arbitrary OS commands on the host machine.

The researchers repeatedly asked Anthropic to patch the root issue. The company declined, citing the behavior as "expected."

Meanwhile, the CVEs kept coming.

30 CVEs in 60 Days

In the first two months of 2026 alone, security researchers filed over 30 CVEs against MCP servers and SDKs. Thirteen were rated Critical. The vulnerable projects include:

  • LangFlow — IBM's open-source low-code framework for building AI applications
  • GPT Researcher — CVE-2025-65720
  • Upsonic — CVE-2026-30625
  • Flowise — GHSA-c9gw-hvqq-f33r
  • Windsurf — CVE-2026-30615 (zero-click prompt injection)

The attack vectors are not theoretical. They are shipping in production code right now.

Four Ways In

The OX team identified four distinct exploit families:

  1. Unauthenticated/authenticated command injection — Attacker-controlled commands run directly on the server without authentication or sanitization
  2. Hardening bypass — Even "hardened" implementations that restrict allowed commands can be bypassed (e.g., npx -c <command>)
  3. Zero-click prompt injection — AI IDE configurations are modified without any user interaction
  4. Marketplace poisoning — Researchers successfully submitted malicious MCP servers to 9 out of 11 marketplaces, each with hundreds of thousands of monthly visitors

North Korea Already Came for Your AI Assistant

On March 31, 2026, a North Korean threat actor (UNC1069) compromised the Axios npm package — with over 100 million weekly downloads. The injected payload specifically targeted AI coding assistants.

When the malware found Claude Code, Cursor, VS Code Continue, or Windsurf configurations, it injected a rogue MCP server definition. The AI itself became the exfiltration channel — silently reading sensitive files and shipping data through the assistant's own context window.

This is not a supply chain attack. This is an AI supply chain attack — and your coding assistant is the unwitting accomplice.

The Numbers Are Terrifying

  • 200,000+ MCP servers exposed to arbitrary command execution
  • 150 million+ downloads of vulnerable MCP-dependent packages
  • 7,374 publicly reachable vulnerable MCP servers found via Shodan
  • 24,008 secrets extracted from MCP configuration files on public GitHub — 2,117 confirmed live
  • 30+ CVEs in 60 days

Why Anthropic Won't Fix It

Anthropic claims the behavior is "expected." The company quietly updated its security policy to warn that MCP adapters "should be used with caution" — a disclaimer, not a fix.

The OX researchers argue that one architectural change at the protocol level would have protected every downstream project, every developer, and every end user. Instead, the burden has been pushed to individual tool maintainers to patch around a fundamentally unsafe protocol.

What You Should Do Right Now

  1. Audit your MCP server configurations — Check Claude Code, Cursor, Windsurf, VS Code Continue for unauthorized MCP server definitions
  2. Block known IOCs: C2 domain sfrclak[.]com, IP 142.11.206.73
  3. Rotate any secrets found in MCP configuration files
  4. Sanitize user inputs passed to MCP command parameters
  5. Implement command allowlisting — but be aware that bypasses exist
  6. Treat MCP marketplaces as untrusted — verify every MCP server before installation

The Bigger Picture

This is not just a vulnerability. It is a paradigm shift in how attackers think about supply chains. NPM was dangerous enough. Now the attack surface extends to the AI that writes your code, reviews your pull requests, and has read access to your entire codebase.

The question is no longer "Can I trust this dependency?" It is "Can I trust the AI that recommended it?"

Your AI coding assistant is no longer just a productivity tool. It is an attack vector — and the adversaries know it.

Sources: OX Security MCP Advisory, The Register, Lorikeet Security, Cyber Kendra, Google GTIG, Microsoft, Elastic Security Labs, Unit 42