{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T06:59:56Z","timestamp":1782975596691,"version":"3.54.5"},"reference-count":65,"publisher":"IEEE","license":[{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2023YFB3107100"],"award-info":[{"award-number":["2023YFB3107100"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026,5,18]]},"DOI":"10.1109\/sp63933.2026.00154","type":"proceedings-article","created":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T19:34:20Z","timestamp":1782934460000},"page":"138-155","source":"Crossref","is-referenced-by-count":0,"title":["Parasites in the Toolchain: A Large-Scale Analysis of Attacks on the MCP Ecosystem"],"prefix":"10.1109","author":[{"given":"Shuli","family":"Zhao","sequence":"first","affiliation":[{"name":"Shanghai Jiao Tong University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Qinsheng","family":"Hou","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zihan","family":"Zhan","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yanhao","family":"Wang","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yuchong","family":"Xie","sequence":"additional","affiliation":[{"name":"The Hong Kong University of Science and Technology"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yu","family":"Guo","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Libo","family":"Chen","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Shenghong","family":"Li","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhi","family":"Xue","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"Measuring AI agent autonomy in practice","year":"2026"},{"key":"ref2","volume-title":"Download Claude | Claude by Anthropic","year":"2026"},{"key":"ref3","volume-title":"Cursor: The best way to code with AI","year":"2026"},{"key":"ref4","volume-title":"Using tools I uv","year":"2026"},{"key":"ref5","volume-title":"Trends Hub","year":"2026"},{"key":"ref6","volume-title":"What 17,845 GitHub Repos Taught Us About Malicious MCP Servers","author":"Quintero","year":"2026"},{"key":"ref7","article-title":"Design patterns for securing LLM agents against prompt injections","volume":"abs\/2506.08837","author":"Beurer-Kellner","year":"2025","journal-title":"CoRR"},{"key":"ref8","volume-title":"The Web MCP","year":"2026"},{"key":"ref9","article-title":"Can llm-generated misinformation be detected? In The Twelfth International Conference on Learning Representations","volume-title":"ICLR 2024","author":"Chen","year":"2024"},{"key":"ref10","volume-title":"Cline - AI Coding, Open Source and Uncompromised","year":"2026"},{"key":"ref11","volume-title":"Discogs MCP Server","year":"2026"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3637528.3671458"},{"key":"ref13","article-title":"\u201cthey are uncultured\u201d: Unveiling covert harms and social threats in LLM generated conversations","volume-title":"Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing, EMNLP 2024","author":"Prabhu","year":"2024"},{"key":"ref14","volume-title":"CodeX App Code Injection Vulnerability","year":"2026"},{"key":"ref15","volume-title":"HAL (HTTP API Layer)","year":"2026"},{"key":"ref16","volume-title":"Hacker News MCP Server","year":"2026"},{"key":"ref17","volume-title":"MCP Connect","year":"2026"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.findings-emnlp.301"},{"key":"ref19","article-title":"Systematic analysis of MCP security","volume":"abs\/2508.12538","author":"Guo","year":"2025","journal-title":"CoRR"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.findings-acl.664"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/3814959"},{"key":"ref22","article-title":"Model context protocol (MCP): landscape, security threats, and future research directions","volume":"abs\/2503.23278","author":"Hou","year":"2025","journal-title":"CoRR"},{"key":"ref23","volume-title":"MCP Security Notification: Tool Poisoning Attacks","year":"2026"},{"key":"ref24","volume-title":"Contentful MCP Server","year":"2026"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.findings-emnlp.123"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.5259751"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/MASS66014.2025.00090"},{"key":"ref28","volume-title":"Prompt Security Top 10: Key Security Risks for MCPs","author":"Drihem","year":"2026"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.52202\/075280-0943"},{"key":"ref30","article-title":"Trustworthy llms: a survey and guideline for evaluating large language models\u2019 alignment","volume":"abs\/2308.05374","author":"Liu","year":"2023","journal-title":"CoRR"},{"key":"ref31","volume-title":"Discover Top MCP Servers I MCP Market","year":"2026"},{"key":"ref32","volume-title":"What is the Model Context Protocol (MCP)?","year":"2026"},{"key":"ref33","volume-title":"MCP Python SDK","year":"2026"},{"key":"ref34","article-title":"Enterprise-grade security for the model context protocol (MCP): frameworks and mitigation strategies","volume":"abs\/2504.08623","author":"Narajala","year":"2025","journal-title":"CoRR"},{"key":"ref35","article-title":"Codexleaks: Privacy leaks from code generation language models in github copilot","volume-title":"32nd USENIX Security Symposium, USENIX Security 2023","author":"Niu"},{"key":"ref36","volume-title":"npx I npm Docs","year":"2026"},{"key":"ref37","volume-title":"MCP-SEC","year":"2026"},{"key":"ref38","volume-title":"Gitee MCP Server","year":"2026"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2023.findings-emnlp.97"},{"key":"ref40","volume-title":"Gorilla: Large language model connected with massive apis. In Advances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024","author":"Patil","year":"2024"},{"key":"ref41","volume-title":"Agentic Tools MCP Server","year":"2026"},{"key":"ref42","volume-title":"MCP Server Directory I PulseMCP","year":"2026"},{"key":"ref43","volume-title":"Awesome MCP Servers","year":"2026"},{"key":"ref44","article-title":"MCP safety audit: Llms with the model context protocol allow major security exploits","volume":"abs\/2504.03767","author":"Radosevich","year":"2025","journal-title":"CoRR"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.52202\/068431-1793"},{"key":"ref46","volume-title":"Protecting against indirect prompt injection attacks in MCP","author":"Young","year":"2026"},{"key":"ref47","article-title":"Hatebench: Benchmarking hate speech detectors on 11 m -generated content and hate campaigns","volume-title":"34th USENIX Security Symposium, USENIX Security 2025","author":"Shen"},{"key":"ref48","volume-title":"The Demo Site of Parasites in the Toolchain: A Large-Scale Analysis of Attacks on the MCP Ecosystem","author":"Zhao","year":"2026"},{"key":"ref49","volume-title":"The Dual LLM pattern for building AI assistants that can resist prompt injection","author":"Willison","year":"2026"},{"key":"ref50","volume-title":"Snyk Agent Scan","year":"2026"},{"key":"ref51","article-title":"Beyond the protocol: Unveiling attack vectors in the model context protocol ecosystem","volume":"abs\/2506.02040","author":"Song","year":"2025","journal-title":"CoRR"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.52202\/075280-3275"},{"key":"ref53","article-title":"Obliinjection: Order-oblivious prompt injection attack to LLM agents with multisource data","volume":"abs\/2512.09321","author":"Wang","year":"2025","journal-title":"CoRR"},{"key":"ref54","article-title":"Obliinjection: Order-oblivious prompt injection attack to LLM agents with multisource data","volume":"abs\/2512.09321","author":"Wang","year":"2025","journal-title":"CoRR"},{"key":"ref55","article-title":"Mcptox: A benchmark for tool poisoning attack on real-world MCP servers","volume":"abs\/2508.14925","author":"Wang","year":"2025","journal-title":"CoRR"},{"key":"ref56","article-title":"MPMA: preference manipulation attack against model context protocol","volume":"abs\/2505.11154","author":"Wang","year":"2025","journal-title":"CoRR"},{"key":"ref57","volume-title":"Desktop Commander MCP","year":"2026"},{"key":"ref58","article-title":"On the security of tool-invocation prompts for 11 m -based agentic systems: An empirical risk assessment","volume":"abs\/2509.05755","author":"Xie","year":"2025","journal-title":"CoRR"},{"key":"ref59","article-title":"Mcpsecbench: A systematic security benchmark and playground for testing model context protocols","volume":"abs\/2508.13220","author":"Yang","year":"2025","journal-title":"CoRR"},{"key":"ref60","article-title":"LLM lies: Hallucinations are not bugs, but features as adversarial examples","volume":"abs\/2310.01469","author":"Yao","year":"2023","journal-title":"CoRR"},{"key":"ref61","article-title":"React: Synergizing reasoning and acting in language models","volume-title":"The Eleventh International Conference on Learning Representations, ICLR 2023","author":"Yao"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2024.acl-long.773"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00208"},{"key":"ref64","article-title":"When MCP servers attack: Taxonomy, feasibility, and mitigation","volume":"abs\/2509.24272","author":"Zhao","year":"2025","journal-title":"CoRR"},{"key":"ref65","article-title":"Universal and transferable adversarial attacks on aligned language models","volume":"abs\/2307.15043","author":"Zou","year":"2023","journal-title":"CoRR"}],"event":{"name":"2026 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2026,5,18]]},"end":{"date-parts":[[2026,5,21]]}},"container-title":["2026 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11573355\/11573356\/11573638.pdf?arnumber=11573638","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T05:28:28Z","timestamp":1782970108000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11573638\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,18]]},"references-count":65,"URL":"https:\/\/doi.org\/10.1109\/sp63933.2026.00154","relation":{},"subject":[],"published":{"date-parts":[[2026,5,18]]}}}