MCP servers lack standardized security auditing mechanisms, and malicious implementations pose severe risks to AI systems; however, their threat model remains unstudied systematically. Method: This paper is the first to treat MCP servers as active adversaries, proposing a fine-grained, twelve-category attack taxonomy based on component decomposition. We validate attack feasibility and stealthiness in real-world LLM agent environments via proof-of-concept malicious servers, cross-platform empirical testing, and automated scanning assessments. Contribution/Results: We demonstrate that malicious MCP servers can be generated at low cost and in bulk, while evading detection by mainstream security tools with extremely low identification rates. Our findings expose critical security blind spots in the current MCP ecosystem, providing both theoretical foundations and empirical evidence to guide the design of robust defenses and the development of security standards.

Model Context Protocol (MCP) servers enable AI applications to connect to external systems in a plug-and-play manner, but their rapid proliferation also introduces severe security risks. Unlike mature software ecosystems with rigorous vetting, MCP servers still lack standardized review mechanisms, giving adversaries opportunities to distribute malicious implementations. Despite this pressing risk, the security implications of MCP servers remain underexplored. To address this gap, we present the first systematic study that treats MCP servers as active threat actors and decomposes them into core components to examine how adversarial developers can implant malicious intent. Specifically, we investigate three research questions: (i) what types of attacks malicious MCP servers can launch, (ii) how vulnerable MCP hosts and Large Language Models (LLMs) are to these attacks, and (iii) how feasible it is to carry out MCP server attacks in practice. Our study proposes a component-based taxonomy comprising twelve attack categories. For each category, we develop Proof-of-Concept (PoC) servers and demonstrate their effectiveness across diverse real-world host-LLM settings. We further show that attackers can generate large numbers of malicious servers at virtually no cost. We then test state-of-the-art scanners on the generated servers and found that existing detection approaches are insufficient. These findings highlight that malicious MCP servers are easy to implement, difficult to detect with current tools, and capable of causing concrete damage to AI agent systems. Addressing this threat requires coordinated efforts among protocol designers, host developers, LLM providers, and end users to build a more secure and resilient MCP ecosystem.