Third article in my MCP security series. Claude Code’s .mcp.json discovery walks from CWD to filesystem root with no boundary check and no file ownership verification. On multi-user Linux systems, any user can drop /tmp/.mcp.json to inject MCP servers into another user’s Claude Code session. Not reported to Anthropic — here’s why, and the full technical breakdown.

Fourth article in my MCP security series. By chaining a transport-layer weakness (session ID as sole routing key) with the Tasks and Elicitation systems, an attacker can inject phantom tasks into a victim’s MCP session and phish credentials through the legitimate, trusted server. CVSS 8.1 — reported to Anthropic VDP and disclosed. Full technical breakdown with working PoC.

Second article in my MCP security series. A malicious MCP server returns a 401 with a crafted WWW-Authenticate header pointing resource_metadata at any URL it wants. The MCP SDK fetches that URL without origin validation — blind SSRF, affects both Python and TypeScript SDKs, Claude Desktop, and Claude Code. Reported to Anthropic VDP, closed as duplicate. Full technical details disclosed here.

The Hacker Recipes said remote SID History injection from Linux was impossible. Here’s how I proved them wrong with two methods: DRSUAPI and DSInternals.

A deep dive into a protocol-level vulnerability in the Model Context Protocol (MCP) specification where malicious SVG icons delivered via data: URIs can escalate from XSS to full RCE on Electron clients. Reported to Anthropic VDP, closed as Informative — disclosed here with full technical details.

Building a cross-platform GoldenGMSA tool by reverse engineering Windows cryptographic DLLs and implementing NIST SP800-108 KDF from scratch