Is there any reason that this attack is limited to the GitHub MCP or could it be applied to others as well?
For example, even if the GitHub MCP server only had access to the single public repository, could the agent be convinced to exfiltrate information from some other arbitrary MCP sever configured in the environment to that repository?
Yes, any MCP server that is connected to an untrusted source of data, could be abused by an attacker to take over the agent. Here, we just showed an in-server exploit, that does not require more than one server.
Also, check out our work on tool poisoning, where a connected server itself turns malicious (https://invariantlabs.ai/blog/mcp-security-notification-tool...).
Yep I could wrote a prompt here in this very comment to trick an LLM and then dump in a URL to exfiltrate and hopefully someone has a tool that unthinkingly posts to that endpoint.