It’s been a busy month in the world of Model Context Protocol (MCP). Between new open source server releases, security leaks, and insightful commentary from developers building on top of these tools, there’s a lot to keep up with—and even more to think about if you're working on or around AI agents. But, one thing is clear: MCP is here, and it needs to be secured.
Whether you're tracking the evolution of autonomous agents, testing out connectors, or just curious about how the space is changing, we’ve pulled together incidents, industry news, conversations/blogs, and other news/reports around MCP from the past month.
Incidents
6/25/2025
Hundreds of MCP Servers Expose AI Models to Abuse, RCE - Dark Reading
Hundreds of Model Context Protocol (MCP) servers on the Web today are misconfigured, unnecessarily exposing users of artificial intelligence (AI) apps to cyberattacks. The first problem that researchers discovered was just how many MCPs are open on the Web: around 7,000, approximately half of the total.
6/19/2025
Researchers Warn of AI Attacks After PoC Exploits Atlassian's AI Agent | Infosecurity Magazine
AI Agents hold great promise for IT ticketing services, but they also bring with them new risks. Researchers from Cato Networks have revealed that a new AI agent protocol released by Atlassian, a service desk solutions provider, could allow an attacker to submit a malicious support ticket through Jira Service Management (JSM) with a prompt injection.
6/18/2025
Asana MCP server back online after plugging a data-leak hole | The Register
Asana has fixed a bug in its Model Context Protocol (MCP) server that could have allowed users to view other organizations' data, and the experimental feature is back up and running after nearly two weeks of downtime to fix the issue.
6/18/2025
Asana warns MCP AI feature exposed customer data to other orgs - Bleeping Computer
Work management platform Asana is warning users of its new Model Context Protocol (MCP) feature that a flaw in its implementation potentially led to data exposure from their instances to other users and vice versa.
6/18/2025
AgentSmith Flaw in LangSmith's Prompt Hub Exposed User API Keys, Data | Hackread
A CVSS 8.8 AgentSmith flaw in LangSmith’s Prompt Hub exposed AI agents to data theft and LLM manipulation. Learn how malicious AI agents could steal API keys and hijack LLM responses. Fix deployed.
6/12/2025
Microsoft Boosts MCP and AI Chat in Delayed VS Code Release - Visual Studio Magazine
Microsoft took an extra week to ship the new Visual Studio Code 1.101 (May 2025) release, which is today available with a host of improvements around advanced AI and the Model Context Protocol (MCP).
6/11/2025
Breaking down ‘EchoLeak’, the First Zero-Click AI Vulnerability Enabling Data Exfiltration from Microsoft 365 Copilot | Aim Labs
Aim Security discovered “EchoLeak”, a vulnerability that exploits design flaws typical of RAG Copilots, allowing attackers to automatically exfiltrate any data from M365 Copilot’s context, without relying on specific user behavior. The primary chain is composed of three distinct vulnerabilities, but Aim Labs has identified additional vulnerabilities in its research process that may also enable an exploit.
6/10/2025
Trump administration's whole-government AI plans leaked on GitHub | The Register
The AI.gov repository and staging site vanished when we asked questions, but don't worry – we captured backups
6/2/2025
GitHub MCP vulnerability has far-reaching consequences - Cybernews
On May 26th, a new prompt injection security weakness was reported in GitHub's official Model Context Protocol (MCP) server – the infrastructure that allows artificial intelligence (AI) coding assistants to read from and write to your GitHub repositories.
Industry News
6/25/2025
Build and Host AI-Powered Apps with Claude - No Deployment Needed | Anthropic
Today, we’re introducing the ability to build, host, and share interactive AI-powered apps directly in the Claude app. Now developers can iterate faster on their AI apps without worrying about the complexity and cost of scaling for a growing audience.
6/25/2025
Gemini CLI: your open-source AI agent | Google Blog
We’re introducing Gemini CLI, an open-source AI agent that brings the power of Gemini directly into your terminal. It provides lightweight access to Gemini, giving you the most direct path from your prompt to our model. While it excels at coding, we built Gemini CLI to do so much more. It’s a versatile, local utility you can use for a wide range of tasks, from content generation and problem solving to deep research and task management. Free and open source, Gemini CLI brings Gemini directly into developers’ terminals — with unmatched access for individuals.
6/23/2025
Linux Foundation Launches the Agent2Agent Protocol Project to Enable Secure, Intelligent Communication Between AI Agents | The Linux Foundation
The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the launch of the Agent2Agent (A2A) project, an open protocol created by Google for secure agent-to-agent communication and collaboration. Developed to address the challenges of scaling AI agents across enterprise environments, A2A empowers developers to build agents that seamlessly interoperate, regardless of platform, vendor or framework.
6/23/2025
Salesforce Announces Agentforce 3.0: Command Center, MCP, and Apps | Salesforce Ben
Salesforce has just announced Agentforce 3.0 – the latest iteration of its flagship AI product. This latest update signals that Salesforce is listening closely to the ecosystem. Many of the concerns raised by professionals over the past few months around visibility, control, and integration are being directly addressed.
6/20/2025
CloudBees opens MCP server so agents can infiltrate DevOps - devclass
CloudBees has opened up a preview of an MCP Server for its nascent Unify platform to allow it to manage the AI agents that are working their way into DevOps workflows.
6/18/2025
Connect any React application to an MCP server in three lines of code | Cloudflare Blog
We're open-sourcing two tools that make it easy to build and deploy MCP clients. You can deploy a remote Model Context Protocol (MCP) server on Cloudflare..
6/17/2025
ChatGPT can now connect to MCP servers - here's how, and what to watch for | ZDNET
Employees can access company data through the chatbot. OpenAI cautions users to review their tools for sensitive information.
6/17/2025
Mobile MCP Client for Developers | SystemPrompt.io
Command Model Context Protocol (MCP) agents from your pocket. Available on iOS and Android.
6/16/2025
Block's Playbook for Designing MCP Servers | Block Engineering
At Block, we have developed more than 60 MCP servers, and this playbook reflects some patterns and learnings we've observed across that ecosystem.
6/13/2025
How we built our multi-agent research system | Anthropic
Our Research feature uses multiple Claude agents to explore complex topics more effectively. We share the engineering challenges and the lessons we learned from building this system.
6/12/2025
May 2025 (version 1.101) | Visual Studio Code
Welcome to the May 2025 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highlights include:
6/13/2025
AWS Launches MCP Servers to Supercharge AI-Assisted App Development - Cloud Wars
AWS has announced the release of Model Context Protocol (MCP) servers for AWS Lambda, Amazon Elastic Container Service (ECS), Amazon Elastic Kubernetes Service (EKS), and Fargate. An MCP server acts as a bridge between an AI agent and critical resources like a database or file system.
6/12/2025
Remote GitHub MCP Server is now in public preview | Github Blog
With the Remote GitHub MCP server, you don’t need to install or run it locally, and new updates are applied automatically. Just install to VS Code with one click or paste the server URL into your remote MCP-compatible host, authenticate, and you’re ready to go.
6/6/2025
Introducing Industry’s First MCP Security Solution by Akto | Akto.io
We’re launching Akto MCP Security, the industry’s first dedicated security solution specifically built to protect MCPs.
6/4/2025
ChatGPT introduces meeting recording and connectors for Google Drive, Box, and more | TechCrunch
OpenAI’s ChatGPT is adding new features for business users, including integrations with different cloud services, meeting recordings, and MCP connection support for connecting to tools for deep research.
Personal Blog Posts
6/14/2025
Anthropic: How we built our multi-agent research system | Simon Willison
I've been pretty skeptical of these until recently: why make your life more complicated by running multiple different prompts in parallel when you can usually get something useful done with a single, carefully-crafted prompt against a frontier model?
6/13/2025
Design Patterns for Securing LLM Agents against Prompt Injections | Simon Willison
This new paper by 11 authors from organizations including IBM, Invariant Labs, ETH Zurich, Google and Microsoft is an excellent addition to the literature on prompt injection and LLM security.
6/11/2025
MCP: A strategic foundation for enterprise-ready AI agents - CIO
As AI transitions from experimental deployment to enterprise-critical infrastructure, CIOs and IT leaders are being asked to guide their organizations through a rapidly evolving technology landscape. One of the most significant trends is the rise of AI agents — systems capable of making decisions and performing complex, multi-step tasks with minimal human oversight.
6/4/2025
Introducing our Dev Mode MCP server | Figma
We’re announcing the beta release of the Dev Mode MCP server, which brings Figma directly into the developer workflow to help LLMs achieve design-informed code generation.
6/3/2025
Unlocking the power of Model Context Protocol (MCP) on AWS | AWS
In a world where AI capabilities are advancing rapidly, the difference between good and great implementations often comes down to context. With MCP and AWS, you have the tools to make sure your AI systems have the right context at the right time, unlocking their full potential for your organization.
6/2/2025
My AI Skeptic Friends Are All Nuts | Fly.io Bio
A heartfelt provocation about AI-assisted programming.
Other MCP News, Reports, and Resources
6/25/2025
Enterprises must rethink IAM as AI agents outnumber humans 10 to 1 | VentureBeat
Stolen credentials are responsible for 80% of enterprise breaches. Every major security vendor has converged on the same conclusion: Identity is now the control plane for AI security. Scale alone demands this shift. Enterprises managing 100,000 employees will handle more than one million identities when AI agents enter production.
6/24/2025
Why a Classic MCP Server Vulnerability Can Undermine Your Entire AI Agent - Trend Micro
A single SQL injection bug in Anthropic’s SQLite MCP server—forked over 5,000 times—can seed stored prompts, exfiltrate data, and hand attackers the keys to entire agent workflows. This entry unpacks the attack chain and lays out concrete fixes to shut it down.
6/19/2025
Cato CTRL™ Threat Research: PoC Attack Targeting Atlassian’s Model Context Protocol (MCP) Introduces New “Living off AI” Risk | Cato Networks
Most organizations assume a clear boundary between external users, who submit support tickets or service requests, and internal users, who handle them using privileged access. However, when an internal user triggers an AI action from a model context protocol (MCP) tool, such as summarizing a ticket, that boundary can break. The AI action is executed with the internal user’s permissions (whether a human agent, a bot, or an automated integration), meaning a malicious ticket submitted by an external threat actor can be used to inject harmful instructions.
6/17/2025
Build and Deploy a Remote MCP Server to Google Cloud Run in Under 10 Minutes | Google Cloud Blog
Integrating context from tools and data sources into LLMs can be challenging, which impacts ease-of-use in the development of AI agents. To address this challenge, Anthropic introduced the Model Context Protocol (MCP), which standardizes how applications provide context to LLMs.
6/12/2025
Securing The AI Tooling Revolution: Building A Cyber-Resilient Future With MCP And CTEM | Forbes
The AI revolution is reshaping our digital landscape at unprecedented speed. As autonomous agents increasingly interact with external tools and services, the model context protocol (MCP) is emerging as a powerful enabler. This is leading to the standardization of how AI models fetch data, call functions and chain workflows.
6/12/2025
The Marketer's Guide to Model Context Protocols - CMS Wire
Model Context Protocols let AI agents talk to your tools. Discover how marketers can use MCPs to streamline workflows and elevate the customer experience.
6/12/2025
MCP Will Fail, And Here's Why - Forbes
The Model-Context Protocol (MCP) emerged with fanfare as a universal standard designed to enable seamless integration between AI models and software tools. On the surface, it addresses a genuine industry pain point: replacing the current patchwork of custom APIs and proprietary plugins with a simple, standardized solution. Proponents of MCP describe a future where AI agents effortlessly connect with myriad applications without cumbersome custom integration.
6/11/2025
Top 7 MCP Clients for AI Tooling - KDnuggets
The most popular clients that seamlessly and reliably work with MCP servers ranging from IDEs to chatbots and plugins.
6/9/2025
New Open-Source Tool Takes Aim at MCP Vulnerabilities in AI Systems | HackerNoon
MCP allows LLMs to communicate with external systems, such as Git repositories or web browsers, by standardizing interactions through structured APIs. While this opens up exciting possibilities for automation and productivity, it also introduces significant security risks. Recent vulnerabilities, such as those exposed in Anthropic’s MCP implementation and GitHub’s official MCP server, highlight the urgent need for robust security measures in MCP-based applications.
6/8/2025
50+ Model Context Protocol (MCP) Servers Worth Exploring - MarkTechPost
The Model Context Protocol (MCP), introduced by Anthropic in November 2024, establishes a standardized, secure interface for AI models to interact with external tools—code repositories, databases, files, web services, and more—via a JSON-RPC 2.0-based protocol. MCP is already supported by Claude, Gemini, and OpenAI, and is rapidly being adopted by platforms like Replit, Sourcegraph, and Vertex AI.
6/7/2025
MCP (Model Context Protocol) and Its Critical Vulnerabilities - Security Boulevard
Model Context Protocol connects AI assistants to external tools and data. Think of it as a bridge between Claude, ChatGPT, or Cursor and your Gmail, databases, or file systems. Released by Anthropic in November 2024, it’s gaining traction fast. But it has serious security problems.
6/7/2025
Deploying A Secure Enterprise Agentic AI: MCP + Agent2Agent - The New Stack
The introduction of LLMs, AI agents, and their evolving ecosystem of tooling like Model Context Protocol (MCP) has opened the doors to a variety of new use cases. Still, they present unique challenges to secure in production, leaving us with many unanswered questions about how we will create safe and secure applications for our users.
6/1/2025
Model Context Protocol: A promising AI integration layer, but not a standard (yet) | VentureBeat
The idea behind MCP is that models should speak a consistent language to tools. Prima facie: This is not just a good idea, but a necessary one. It is a foundational layer for how future AI systems will coordinate, execute and reason in real-world workflows. The road to widespread adoption is neither guaranteed nor without risk.
Secure Access for Model Context Protocol (MCP)
As MCP adoption grows, it’s becoming clear that giving agents access to real-world systems introduces real-world risk. Whether it’s a leaky connector, over-permissive default configs, or a lack of tenant isolation, the same issues keep surfacing—and they all point back to one core challenge: access control.
That’s where Pomerium comes in. By sitting between agents and the systems they interact with, Pomerium acts as a context-aware policy engine that enforces identity, intent, and risk at the moment access is requested—not just at deployment. It's Zero Trust for your agents, built to prevent the kinds of overreach and leakage we’re starting to see.
If you’re building with MCP, it’s time to think seriously about how you're securing it.
Learn More about MCP Security, Why It Matters, and How Pomerium Fits In
MCP Security Demo: See Pomerium in Action
Explore our MCP demo app. It showcases:
Agent attempts to call sensitive services
Policies blocking out-of-scope behavior
Complete traceability and visibility
Want to meet with the team to dive deeper? Book a demo ->
