Every Agent Has a Door. Most Are Unlocked.
July 3, 2026
Why We Built Prismor to Secure AI Coding Agents at the Tool-Call Boundary
June 26, 2026
143 Mastra npm Packages Backdoored via easy-day-js Dependency Swap
June 17, 2026
TrapDoor: 34 Malicious Packages Stole Crypto Wallet Keys and SSH Credentials Across npm, PyPI, and Crates.io
May 25, 2026
AntV npm Packages Compromised via Hijacked Maintainer Account
May 19, 2026
CVE-2026-42945: NGINX Rewrite Module Heap Overflow Enables Unauthenticated Code Execution
May 13, 2026
TanStack and Mistral npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack
May 11, 2026
Microsoft Patches Critical ASP.NET Core DataProtection Flaw That Breaks Cryptographic Signatures
April 23, 2026
Vercel got breached. Here is what that means for everyone downstream.
April 19, 2026
When the System Built to Warn Us Can No Longer Keep Pace
April 15, 2026
Your AI Agent Remembers Your Secrets
April 13, 2026
Your Home Directory is a Secret Goldmine for Attackers
April 6, 2026
When a core npm dependency becomes the attack path: lessons from the Axios compromise
March 31, 2026
When the AI dependency becomes the attack path: lessons from the LiteLLM PyPI compromise
March 24, 2026
When the security scanner becomes the attack path: lessons from the Trivy compromise
March 23, 2026
Critical Path Traversal Vulnerability in jsPDF Library (CVE-2025-68428)
January 6, 2026
MongoBleed: Unauthenticated Memory Disclosure in MongoDB (CVE-2025-14847)
December 27, 2025
Critical Remote Code Execution in n8n Workflow Automation: CVE-2025-68613
December 19, 2025
The Return of Shai-Hulud: npm's Worm Strikes Back
November 24, 2025
Critical Chrome Zero-Day Exploited: Google Rushes Emergency Patch for CVE-2025-0411
October 28, 2025
Critical Remote Code Execution Vulnerability in React Server Components
December 3, 2025
Agent SecurityJuly 3, 20265 min read

Every Agent Has a Door. Most Are Unlocked.

By May 2026, Censys counted over 21,000 exposed MCP servers. CVE-2026-33032 and Anthropic’s own Git MCP flaws show exactly what an unlocked one costs.

People think the risk in AI agents lives in the model. Get the prompt right, filter the output, and you are safe. That is the story most teams tell themselves.

It is not what is actually happening. By late April 2026, Censys had counted 12,520 internet-facing MCP servers across 8,758 IP addresses in 56 countries. Two weeks later the count passed 21,000. Model Context Protocol is the wire an agent uses to reach a tool: a database, a filesystem, a deploy pipeline, a company’s internal API. Censys could count every one of those servers for a specific reason: MCP defines an OAuth 2.1 authorization scheme, then marks it optional. A server that skips it is not misconfigured. It is following the spec.

Diagram showing Prismor checking every tool call, shell command, file write, package install, and MCP interaction before execution, positioned between the developer's IDE agent and MCP servers with no, weak, or full authentication
The tool-call boundary sits between the agent and every MCP server it talks to, regardless of whether that server checked for a password.

The wire behind the room

Here is the part people miss: a model is just a room where decisions get made. The decisions do not matter until they turn into actions, and actions travel through tool calls. That is where the agent writes a file, runs a command, hits an API, or talks to an MCP server. Secure the room all you want. If the wires leaving it are unlocked, the room was never the risk.

An open MCP server is a door with no lock and no camera. Anyone who finds it can hand the agent a tool description, a fake instruction, a poisoned result, and the agent has no way to tell that from the real thing. It does not know the difference between the team that built it and a stranger who found the door. It just sees a tool call, and it executes.

Same gap, new wire

This is the same failure mode, dressed up in new language each time. Supply chain attacks work because a package’s install script is a door nobody watched. Prompt injection works because the model cannot tell instructions from data once they are both just text. MCP exposure is the same gap wearing a new protocol. Same shape, same blind spot, different wire.

A year earlier, in July 2025, researchers at Knostic went looking for these doors the same way Censys later would. They found 1,862 servers and manually checked 119 of them. All 119 handed over their internal tool listings to anyone who asked, no credentials required. Nothing about that finding was subtle. Nothing about it got fixed either. It just got bigger.

The doors keep failing in the same specific way. In nginx-ui, the endpoint an agent uses to manage a server, /mcp, checked for a valid session. Its sibling endpoint, /mcp_message, checked an IP whitelist that shipped empty, which the code read as allow all. One missing line, middleware.AuthRequired(), and any attacker on the network could restart nginx, rewrite its configuration, and reload it into whatever shape they wanted. Cataloged as CVE-2026-33032, CVSS 9.8, it was already being exploited in the wild by mid-April 2026.

Even Anthropic’s own reference implementation carried the same shape of problem. Its Git MCP server let an agent read a malicious README or a poisoned issue description, use a path-traversal bug to reach a directory it should never have touched, initialize a git repository there, plant a config file with a shell hook inside it, then trigger that hook through a second, unrelated bug. Three flaws, chained, into full code execution, and the attacker never needed direct access to the machine. The company that wrote the protocol shipped the same blind spot it was warning everyone else about.

That difference matters because most security tools were built to watch the room, not the wire. A scanner can tell you a package looks suspicious after it is already installed. A log can tell you a command ran after it already ran. None of that sits at the place where a decision turns into an action, which means none of it catches the moment that actually matters.

Watching the boundary, not the aftermath

That is the boundary we built prismor to sit on. It is open source, it runs on the developer’s own machine, and it watches the tool-call boundary directly: every shell command, every file write, every package install, every MCP interaction, checked before it executes, not after. If an agent reaches for an unauthenticated MCP server, or a tool call that does not match what the session was supposed to be doing, Prismor is positioned to catch it at the door, not in the postmortem. A single pip install prismor is enough to start watching that boundary on one machine.

What teams should do

Most teams have never gone looking for their own doors. Before trusting another MCP integration, it is worth checking what is already open:

  • Inventory every MCP server in use. Internal and third-party. If nobody can list them, nobody is watching them.
  • Require authentication on every server, no exceptions. A convenience deployment today is an open door tomorrow.
  • Treat tool descriptions and tool results as untrusted input. An MCP server can describe its own tools in whatever way benefits an attacker, and a file the agent reads can carry instructions of its own. The agent should not take either on faith.
  • Do not assume a vendor-shipped default is safe. Anthropic’s own reference Git MCP server needed three CVEs and the eventual removal of a tool before it was.
  • Put a control at the tool-call boundary, not just around the model. Watching prompts and outputs will always miss the moment the agent actually acts.

The takeaway is short enough to remember: an agent is only as safe as its least-locked door, and most teams have never gone looking for the doors. Once you see it that way, AI safety stops being a model problem. It becomes a wiring problem, and wiring problems get fixed by looking at the wires, not by talking to the room.