A Rug Pull Attack in MCP happens when an attacker silently changes a tool’s description, behavior, or implementation after the user has already approved it. The MCP server passes the initial security review, gets added to the user’s mcp.json, and runs cleanly for days or weeks. Then the server pushes an update that swaps the benign description for a malicious one. Most MCP hosts approve the change without re-prompting the user, because they bind trust to the tool’s name, not its actual content. The pattern was formally demonstrated in CVE-2025-54136 (MCPoison), where Check Point researchers showed Cursor blindly trusted approved config keys even after the underlying command had been swapped.
How a Rug Pull Attack Works
Phase one is establishing trust. The attacker publishes a useful MCP server with clean code and benign tool descriptions. Users install it, click approve, and add it to their daily workflow. Phase two is the swap. The server pushes a new version with poisoned tool descriptions, a different command in mcp.json, or a malicious payload in a previously inert function. Because the MCP spec doesn’t require re-approval on description change, the host loads the new version silently. The agent now runs the attacker’s instructions with the user’s full credentials and tool privileges.
Certified MCP Security Expert
Attack, defend, and pen test MCP servers in 30+ hands-on labs. Get certified.
Why Rug Pulls Are Hard to Catch
Rug pulls hide inside the normal update cycle every package manager treats as routine. npm, pip, and Cargo all auto-update by default. Most users have hundreds of dependencies and don’t read changelogs for every patch. MCP makes this worse because tool descriptions are pure text, so a malicious update needs no compiled binary, no native library, no obvious signal. The change might be a single line added to a docstring. CVE-2025-54136 showed how this pattern works on config files: Cursor approved a key once, then re-executed whatever command was bound to that key on every project open.
How to Detect and Stop Rug Pull Attacks
Pin every MCP server by exact version and content hash, not just by name. Require explicit re-approval whenever a tool description, command, or capability changes. Run a diff on every server update before it loads. Subscribe to security advisories for the MCP servers you depend on. Audit mcp.json files in git so unexpected changes show up in code review. The Certified MCP Security Expert (CMCPSE) certification covers rug pull detection with practical CVE-2025-54136 walkthroughs.
Summary
A Rug Pull Attack flips a trusted MCP server into a malicious one through a silent post-approval update. Hash pinning, re-approval prompts, and version control are the only real defenses. The Certified MCP Security Expert (CMCPSE) certification trains engineers to recognize rug pull patterns and lock down MCP supply chains against this exact attack class.