I installed a malicious MCP server — is my agent compromised?

Updated

April 2026 wave: 200,000+ MCP servers vulnerable to design-level RCE. Here's how to detect compromise + remove the server safely.

You read TheRegister's April 2026 article on the Anthropic MCP RCE. You realize you installed an MCP server from a forum post 3 weeks ago. You don't know if it's affected. Your agent has access to your filesystem + your Notion + your GitHub.

What happens next

  1. Minute 0 — disable

    Disable the suspect MCP server immediately (Claude Desktop: Settings → MCP Servers → toggle off; Cursor: equivalent setting).

  2. Minute 0-5 — scan

    Run mcp-scan (Invariant Labs): `npx mcp-scan` — detects tool poisoning + rug-pulls + cross-origin escalations + prompt injection in installed servers.

  3. Minute 5-15 — audit access

    What did the agent have access to via this server? Filesystem (any path)? GitHub (which scopes)? Notion (which workspaces)?

  4. Minute 15-60 — rotate downstream

    Rotate every credential the MCP server could have accessed. Audit GitHub audit log, Notion audit log, filesystem changes.

Without Securie

You manually audit every MCP server install. You hope none of them rug-pulled. The April 2026 RCE wave shows that design-level flaws affect every standard MCP dispatch path — manual audit isn't enough.

With Securie

Securie's mcp-guard crate enforces operator-pinned catalogs at agent runtime. TrustedCatalog (operator-authored TOML allow-list) + Validator (per-manifest invariant checks) + ScopeGuard (per-dispatch O(1) scope check). The April 2026 RCE relies on dynamic tool-definition mutation — exactly what mcp-guard refuses.

Exactly what to do right now

  1. Disable the suspect MCP server immediately
  2. Run `npx mcp-scan` (Invariant Labs) — periodic fleet drift detection
  3. Audit every MCP server's last-known-fingerprint against the running fingerprint
  4. Rotate every credential the agent could have accessed via the server
  5. Read /incidents/anthropic-mcp-rce-2026 + /vuln/anthropic-mcp-rce-2026 for the canonical case
  6. Install Securie's mcp-guard layer when early access opens — operator-pinned catalogs + ScopeGuard close this class structurally