Someone Is Scanning for Your MCP Servers and AI Assistant Credentials, (Mon, Jul 13th)
A widespread internet scanning campaign is actively probing for exposed Model Context Protocol (MCP) servers, AI assistant configuration and credential files, and unauthenticated local large language model (LLM) endpoints. The scanning includes valid MCP protocol handshakes to identify live MCP servers, fishing for AI assistant secrets in web roots, and probing for open LLM inference APIs. Additionally, the campaign attempts server-side request forgery (SSRF) attacks targeting cloud metadata services to steal instance credentials. This reconnaissance is opportunistic and broad, targeting servers regardless of whether they run these AI-related services, indicating preparation for future exploitation as AI agent deployments become more common. Defenders are advised to verify that MCP servers require authentication and are not internet-exposed, remove AI assistant config and credential files from web roots, secure LLM endpoints behind authentication, and protect metadata services against SSRF.
AI Analysis
Technical Summary
The threat involves a distributed scanning campaign observed over two weeks on a low-traffic web host, revealing a new category of reconnaissance focused on AI agent infrastructure. Scanners perform valid JSON-RPC 2.0 MCP protocol initialize calls to detect live MCP servers, which if exposed without authentication, provide attackers with a machine-readable inventory of accessible tools and data sources. The campaign also probes for AI assistant configuration and credential files (e.g., .claude/mcp.json, .cursor/mcp_config.json) that developers may accidentally expose in web roots. Furthermore, scanners request unauthenticated LLM endpoints such as /v1/models (OpenAI-compatible) and /api/tags (Ollama) to find open inference servers. SSRF attempts targeting cloud metadata endpoints (e.g., metadata.google.internal) are also bundled with this AI-agent reconnaissance, aiming to steal cloud instance credentials. The scanning is broad and mature, with efficiency optimizations like HEAD requests to check file existence. The campaign is not limited to hosts running these services, indicating proactive scanning ahead of widespread AI agent adoption.
Potential Impact
If an MCP server is exposed without authentication, attackers can enumerate and potentially abuse all tools and data sources accessible to the AI agent, posing a severe security risk. Exposed AI assistant credential files in web roots leak sensitive keys that can be used to impersonate or hijack AI assistant sessions. Unauthenticated LLM endpoints allow attackers to use compute resources freely and potentially pivot to other attacks. SSRF vulnerabilities that allow access to cloud metadata services can lead to theft of cloud instance credentials, enabling further compromise of cloud infrastructure. Overall, these exposures significantly increase the attack surface related to AI agent deployments and cloud environments.
Mitigation Recommendations
No official patch or fix is indicated; this is reconnaissance activity. Defenders should: 1) Search logs for POST /mcp and /sse requests; if MCP servers are not deployed, block such requests as reconnaissance. 2) Ensure MCP servers require authentication and are not accessible from the internet. 3) Remove AI assistant configuration and credential files (.claude/, .cursor/, .vscode/mcp.json, .credentials.json, etc.) from web roots and restrict them to developer home directories. 4) Test externally for unauthenticated LLM endpoints (/v1/models, /api/tags) and secure them behind authentication. 5) Review and harden any fetch-style endpoints to block requests to cloud metadata IPs and hostnames (169.254.169.254, metadata.google.internal). 6) Enable metadata service protections such as GCP metadata server v1 with header enforcement and AWS IMDSv2 to mitigate SSRF risks. These steps address the specific reconnaissance and potential exploitation vectors identified.
Someone Is Scanning for Your MCP Servers and AI Assistant Credentials, (Mon, Jul 13th)
Description
A widespread internet scanning campaign is actively probing for exposed Model Context Protocol (MCP) servers, AI assistant configuration and credential files, and unauthenticated local large language model (LLM) endpoints. The scanning includes valid MCP protocol handshakes to identify live MCP servers, fishing for AI assistant secrets in web roots, and probing for open LLM inference APIs. Additionally, the campaign attempts server-side request forgery (SSRF) attacks targeting cloud metadata services to steal instance credentials. This reconnaissance is opportunistic and broad, targeting servers regardless of whether they run these AI-related services, indicating preparation for future exploitation as AI agent deployments become more common. Defenders are advised to verify that MCP servers require authentication and are not internet-exposed, remove AI assistant config and credential files from web roots, secure LLM endpoints behind authentication, and protect metadata services against SSRF.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The threat involves a distributed scanning campaign observed over two weeks on a low-traffic web host, revealing a new category of reconnaissance focused on AI agent infrastructure. Scanners perform valid JSON-RPC 2.0 MCP protocol initialize calls to detect live MCP servers, which if exposed without authentication, provide attackers with a machine-readable inventory of accessible tools and data sources. The campaign also probes for AI assistant configuration and credential files (e.g., .claude/mcp.json, .cursor/mcp_config.json) that developers may accidentally expose in web roots. Furthermore, scanners request unauthenticated LLM endpoints such as /v1/models (OpenAI-compatible) and /api/tags (Ollama) to find open inference servers. SSRF attempts targeting cloud metadata endpoints (e.g., metadata.google.internal) are also bundled with this AI-agent reconnaissance, aiming to steal cloud instance credentials. The scanning is broad and mature, with efficiency optimizations like HEAD requests to check file existence. The campaign is not limited to hosts running these services, indicating proactive scanning ahead of widespread AI agent adoption.
Potential Impact
If an MCP server is exposed without authentication, attackers can enumerate and potentially abuse all tools and data sources accessible to the AI agent, posing a severe security risk. Exposed AI assistant credential files in web roots leak sensitive keys that can be used to impersonate or hijack AI assistant sessions. Unauthenticated LLM endpoints allow attackers to use compute resources freely and potentially pivot to other attacks. SSRF vulnerabilities that allow access to cloud metadata services can lead to theft of cloud instance credentials, enabling further compromise of cloud infrastructure. Overall, these exposures significantly increase the attack surface related to AI agent deployments and cloud environments.
Mitigation Recommendations
No official patch or fix is indicated; this is reconnaissance activity. Defenders should: 1) Search logs for POST /mcp and /sse requests; if MCP servers are not deployed, block such requests as reconnaissance. 2) Ensure MCP servers require authentication and are not accessible from the internet. 3) Remove AI assistant configuration and credential files (.claude/, .cursor/, .vscode/mcp.json, .credentials.json, etc.) from web roots and restrict them to developer home directories. 4) Test externally for unauthenticated LLM endpoints (/v1/models, /api/tags) and secure them behind authentication. 5) Review and harden any fetch-style endpoints to block requests to cloud metadata IPs and hostnames (169.254.169.254, metadata.google.internal). 6) Enable metadata service protections such as GCP metadata server v1 with header enforcement and AWS IMDSv2 to mitigate SSRF risks. These steps address the specific reconnaissance and potential exploitation vectors identified.
Technical Details
- Article Source
- {"url":"https://isc.sans.edu/diary/rss/33150","fetched":true,"fetchedAt":"2026-07-13T04:32:35.657Z","wordCount":1639}
Threat ID: 6a546a6368715ace4327d87a
Added to database: 07/13/2026, 04:32:35 UTC
Last enriched: 07/13/2026, 04:32:46 UTC
Last updated: 07/13/2026, 06:28:05 UTC
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.