Anthropic MCP "By Design" RCE — Where Runtime Detection Fills the Gap
When the protocol won't change, the detection layer becomes the contract. A walkthrough of the MCP "by design" disclosure and ATR's 17 dedicated MCP rules.
In April 2026 a disclosure from OX Security and follow-up reporting from The Hacker News and SecurityWeek described a design vulnerability in the Anthropic Model Context Protocol that enables RCE through tool description injection and supply-chain compromise of MCP servers. Anthropic declined to modify the protocol architecture, citing the behaviour as expected.
That leaves a vacuum. Protocol-level fix is unlikely. Runtime-level detection becomes the contract.
The Surface Area
Public numbers from the reporting:
- ●7,000+ MCP servers exposed at disclosure time
- ●200,000 servers at risk across the broader install base
- ●150M downloads of MCP-related packages
The protocol's power — tools auto-describing themselves to the agent and the agent acting on those descriptions — is the same surface attackers use. Tool descriptions can include adversarial instructions. The agent reads them, treats them as legitimate, and acts.
ATR's 17 MCP Rules
ATR ships 17 rules dedicated to MCP threat patterns. The main families:
- ●Tool poisoning — covert instructions embedded in tool descriptions, manifest fields, or returned payloads. Rule
ATR-2026-00060(skill-impersonation, MCP variant) is the canonical detector for the description-injection pattern. - ●MCP supply chain compromise — npm or PyPI MCP server packages with backdoor payloads.
ATR-2026-00095(supply-chain poisoning) covers this family. - ●Prompt injection through tool returns — the agent calls a tool, the tool returns content that re-prompts the agent. Several tool-poisoning rules in the category cover this with payload-pattern matching.
- ●Manifest tampering — MCP server manifest fields modified to claim broader capabilities than implementation actually provides. Detected via description-vs-behaviour mismatch rules in the same family as
ATR-2026-00061.
Each rule is deterministic YAML, MIT-licensed, and FP-tested on the 432-skill labelled benign corpus.
Defence-In-Depth Model
The contract becomes three layers stacked:
1. Install-time SCA — package reputation, maintainer verification, published-too-recently flags. Catches some attacks.
2. Runtime ATR rules — tool-description content scanning, manifest-vs-behaviour comparison, return-payload prompt-injection detection. Catches the systematic patterns where SCA missed.
3. Agent-level approval prompts — final human-in-the-loop gate before sensitive operations.
No single layer is sufficient. When the protocol can't be fixed, you stack layers around it.
The Vendor-Neutral Posture
ATR rules are not Anthropic-specific. They fire on any MCP server regardless of which agent runtime is consuming it. They fire on Skills marketplaces, on package registries, on tool description streams from any source. The detection contract is written against the behaviour, not against the vendor.
When the protocol won't change, the detection layer becomes the contract. ATR is one available implementation of that contract.
The Hacker News · SecurityWeek · OX Security disclosure · ATR MCP rules