LeechHijack: Covert Computational Resource Exploitation in Intelligent Agent Systems

TL;DR

This paper introduces LeechHijack, a novel covert attack exploiting trust in external tools within LLM-based agent systems, demonstrating significant resource hijacking risks and emphasizing the need for improved security measures.

Contribution

We formalize a new attack vector called implicit toxicity and develop LeechHijack, a latent exploit that covertly hijacks computational resources in MCP-based agent systems.

Findings

LeechHijack achieves an average success rate of 77.25%.

Resource overhead is 18.62% compared to baseline.

The attack operates across four major LLM families.

Abstract

Large Language Model (LLM)-based agents have demonstrated remarkable capabilities in reasoning, planning, and tool usage. The recently proposed Model Context Protocol (MCP) has emerged as a unifying framework for integrating external tools into agent systems, enabling a thriving open ecosystem of community-built functionalities. However, the openness and composability that make MCP appealing also introduce a critical yet overlooked security assumption -- implicit trust in third-party tool providers. In this work, we identify and formalize a new class of attacks that exploit this trust boundary without violating explicit permissions. We term this new attack vector implicit toxicity, where malicious behaviors occur entirely within the allowed privilege scope. We propose LeechHijack, a Latent Embedded Exploit for Computation Hijacking, in which an adversarial MCP tool covertly expropriates the agent's computational resources for unauthorized workloads. LeechHijack operates through a two-stage mechanism: an implantation stage that embeds a benign-looking backdoor in a tool, and an exploitation stage where the backdoor activates upon predefined triggers to establish a command-and-control channel. Through this channel, the attacker injects additional tasks that the agent executes as if they were part of its normal workflow, effectively parasitizing the user's compute budget. We implement LeechHijack across four major LLM families. Experiments show that LeechHijack achieves an average success rate of 77.25%, with a resource overhead of 18.62% compared to the baseline. This study highlights the urgent need for computational provenance and resource attestation mechanisms to safeguard the emerging MCP ecosystem.