Top MCP security resources — July 2026
July’s security digest covers the critical MCP vulnerabilities, real-world MCP exploitation, NSA’s official MCP hardening guidelines. Explore these essential resources and secure our MCP servers.
Coding Agent Security Digest Sergey todayJuly 9, 2026
July 2026 exposed a harsh reality for developer productivity tools: AI coding agents are actively expanding our attack surface faster than we can patch them. This month was dominated by catastrophic supply chain flaws, notably the poisoning of the Claude Code GitHub Action and the revelation of GuardFall, a universal shell injection design flaw affecting over half a million open-source deployments. Agents became fully autonomous teammates executing commands in CI/CD pipelines, and legacy security paradigms like string-based denylists and static skill scanning are proving completely obsolete against dynamic, compositional attacks.
Total resources: 19
Category breakdown:
Researchers trivially bypassed ClawHub, Cisco’s skill scanner, and all three skills.sh scanners in under an hour. The simplest bypass involved prepending 100,000 newlines, which caused the VirusTotal and GPT-5.5 guards to truncate the file before the payload and falsely mark it safe.
Mozilla’s 0DIN research shows how a perfectly clean GitHub repo can hijack Claude Code by throwing a fake setup error. The agent is prompted to run an init script that fetches a reverse-shell payload from a DNS TXT record, rendering the attack invisible to standard scanners.
A proof-of-concept attack managed to plant malicious instructions in Sentry error events via a public DSN. Consequently, MCP-connected agents like Claude Code, Cursor, and Codex executed the attacker code at 85% success across thousands of exposed organizations.
An empirical study of command-denylist bypasses in terminal coding agents focuses specifically on Claude Code’s built-in denylist. A custom ShellSieve pipeline analyzing 1,709 real-world denylists proves how fundamentally shell semantics defeat static string-based security guards.
The VulMask attack framework successfully hides malicious behavior in a coding-agent skill’s auxiliary resources by disguising it as vulnerability-shaped code. This technique effortlessly evades skill scanners and automated reviewers across major coding agents.
Johann Rehberger demonstrates a severe time-of-check/time-of-use (TOCTOU) attack against computer-use and coding agents. By altering the UI between the agent’s visual check and its physical action, the agent is tricked to click or approve something unintended.
Adversa AI demonstrated that decades-old shell-quoting bypasses easily defeat pattern-based command guards in 10 out of 11 popular open-source coding agents. This is a severe structural design flaw lacking a formal CVE, leaving thousands of deployments critically exposed.
Security researchers successfully chained an authorization bypass, indirect prompt injection, and environment-variable exfiltration within the Claude Code GitHub Action. This meant a single public GitHub issue could compromise any repo utilizing the workflow.
Microsoft Threat Intelligence revealed that the un-sandboxed Read tool in the Claude Code GitHub Action could arbitrarily read /proc/self/environ. This critical flaw leaked the ANTHROPIC_API_KEY via prompt injection hidden within untrusted GitHub content.
SCR-Bench systematically measures how individually-benign coding-agent skills can compose into highly harmful behaviors when chained together. The research exposes a vast compositional attack surface that traditional per-skill scanning architectures completely miss.
PORTICO introduces a reference monitor that issues coding agents epoch-bound, fully revocable capability handles. This framework effectively closes the dangerous lingering authority gap where an agent’s tool access outlives the specific subgoal that originally required it.
‘Locate-and-Judge’ proposes a novel two-stage attention-based detector designed specifically for malicious skills loaded by agents like Claude Code and Gemini CLI. It provides a robust defense mechanism against the escalating skill supply-chain threat emerging from third-party marketplaces.
This solution leverages an eBPF and information-flow-control DSL to enforce CLAUDE.md and AGENTS.md-style security policies directly at the OS kernel level. Evaluated across coding and safety benchmarks, it rigorously hardens coding-agent harnesses to prevent unauthorized execution.
This comprehensive benchmark comprises 3,944 runtime-verified malicious skills specifically targeting coding-agent ecosystems like Claude Code. It allows security teams to conduct a systematic evaluation of skill scanners against authentic, real-world malicious behaviors.
A highly curated resource detailing ten in-loop security skills and MCP servers that coding agents can proactively invoke mid-session. It features rigorous hands-on testing alongside honest capability assessments for both Claude Code and Cursor.
Microsoft AI Red Team’s v2.0 taxonomy update formally adds seven new agentic failure modes, including supply-chain compromise and excessive agency. Backed by 12 months of operational data, it highlights that consent-fatigue bypass remains the most actively exploited vulnerability.
The OWASP GenAI Security Project’s latest update catalogs real-world incidents, CVEs, and vendor advisories strictly mapped to the Top 10 for Agentic Applications. It provides security leaders with a much-needed governance maturity matrix and detailed regulatory landscape overview.
An exhaustive enterprise guide detailing how to properly run Claude Code in a restricted sandbox, encompassing deep filesystem and network isolation strategies. It covers essential corporate configurations integrating Zscaler, Intune/Jamf, and AWS Bedrock.
This practical roadmap frames 2026 as the definitive agent-engineering phase, explicitly outlining why a system’s blast radius inherently grows alongside its autonomous capabilities. It relies heavily on Anthropic’s sandboxing methods and OWASP’s MCP Top 10 to establish guidelines for secure cloud teammates.
The incidents this month confirm that attempting to secure coding agents through model-level filters, command denylists, and isolated code/skill scanning is a failed strategy. Attackers are easily traversing trust boundaries using DNS TXT records, UI manipulation, and compositional logic that bypasses these guards entirely. Security engineering teams must complement existing filters with hard OS-level enforcement, runtime security aware of agentic execution chain, ephemeral capabilities that revoke automatically, and comprehensive network sandboxing for all agent harnesses in the CI/CD pipeline.
Written by: Sergey
MCP Security Sergey
July’s security digest covers the critical MCP vulnerabilities, real-world MCP exploitation, NSA’s official MCP hardening guidelines. Explore these essential resources and secure our MCP servers.
(c) Adversa AI, 2026. Continuous red teaming of AI systems, trustworthy AI research & advisory
Privacy, cookies & security compliance · Security & trust center