From Component Manipulation to System Compromise: Understanding and Detecting Malicious MCP Servers

TL;DR

This paper introduces a component-centric approach to understanding and detecting malicious MCP servers in LLM systems, including a new dataset and a behavioral deviation detector called Connor.

Contribution

It presents the first component-centric PoC dataset of malicious MCP servers and a novel two-stage detection method, Connor, for identifying malicious behaviors.

Findings

Component position influences attack success rate.

Multi-component attacks are more effective than single-component attacks.

Connor achieves 94.6% F1-score, outperforming existing methods.

Abstract

The model context protocol (MCP) standardizes how LLMs connect to external tools and data sources, enabling faster integration but introducing new attack vectors. Despite the growing adoption of MCP, existing MCP security studies classify attacks by their observable effects, obscuring how attacks behave across different MCP server components and overlooking multi-component attack chains. Meanwhile, existing defenses are less effective when facing multi-component attacks or previously unknown malicious behaviors. This work presents a component-centric perspective for understanding and detecting malicious MCP servers. First, we build the first component-centric PoC dataset of 114 malicious MCP servers where attacks are achieved as manipulation over MCP components and their compositions. We evaluate these attacks' effectiveness across two MCP hosts and five LLMs, and uncover that (1) component position shapes attack success rate; and (2) multi-component compositions often outperform single-component attacks by distributing malicious logic. Second, we propose and implement Connor, a two-stage behavioral deviation detector for malicious MCP servers. It first performs pre-execution analysis to detect malicious shell commands and extract each tool's function intent, and then conducts step-wise in-execution analysis to trace each tool's behavioral trajectories and detect deviations from its function intent. Evaluation on our curated dataset indicates that Connor achieves an F1-score of 94.6%, outperforming the state of the art by 8.9% to 59.6%. In real-world detection, Connor identifies two malicious servers.