September was a month of contrasts for the Model Context Protocol (MCP). On the one hand, the ecosystem matured rapidly. On the other hand, a wave of reports underscored how quickly attackers are targeting these interfaces. Researchers warned of prompt‑injection attacks, backdoored packages and a raft of newly ranked vulnerabilities, while practitioners called for stronger identity flows, fine‑grained authorization and tighter governance.
Together these stories paint a picture of a technology that’s moving from proof‑of‑concept to mainstream—and drawing the attention of both innovators and adversaries.
We’ve pulled together incidents, industry news, conversations/blogs, and other news/reports around MCP from the past month.
9/29/2025
First Malicious MCP Server Found Stealing Emails | The Hacker News
Cybersecurity researchers have discovered what has been described as the first-ever instance of a malicious Model Context Protocol (MCP) server spotted in the wild, raising software supply chain risks. A legitimate-looking developer managed to slip in rogue code within an npm package called "postmark-mcp" that copied an official Postmark Labs library of the same name. The malicious functionality was introduced in version 1.0.16, released on September 17, 2025.
9/25/2025
ForcedLeak: AI Agent risks exposed in Salesforce AgentForce | Noma.security
Noma Labs discovered ForcedLeak, a critical severity (CVSS 9.4) vulnerability chain in Salesforce Agentforce that could enable external attackers to exfiltrate sensitive CRM data through an indirect prompt injection attack. This vulnerability demonstrates how AI agents present a fundamentally different and expanded attack surface compared to traditional prompt-response systems. Upon being notified of the vulnerability, Salesforce acted immediately to investigate and has since released patches that prevent output in Agentforce agents from being sent to untrusted URLs.
9/29/2025
Introducing Claude Sonnet 4.5 | Anthropic
Claude Sonnet 4.5 is state-of-the-art on the SWE-bench Verified evaluation, which measures real-world software coding abilities. It’s been observed to maintain focus for more than 30 hours on complex, multi-step tasks. Claude’s improved capabilities and our extensive safety training have allowed us to substantially improve the model’s behavior, reducing concerning behaviors like sycophancy, deception, power-seeking, and the tendency to encourage delusional thinking.
9/26/2025
Update on the Next MCP Protocol Release | Model Context Protocol blog
The next version of the Model Context Protocol specification will be released on November 25th, 2025, with a release candidate (RC) available on November 11th, 2025. Maintainers are building in a 14-day RC validation window so client implementors and SDK maintainers can thoroughly test the protocol changes.
9/24/2025
Introducing the Data Commons MCP Server | Google Developers
Google announced a public MCP server for its Data Commons project. The server standardizes access to public datasets, allowing AI agents to fetch curated data without scraping; Google says this reduces hallucinations and speeds up retrieval.
9/24/2025
Google’s Chrome team launched a DevTools MCP server that gives AI coding assistants direct access to the browser. The post explains how the server lets agents validate code changes in real time, run performance traces, inspect network requests, and simulate user interactions.
9/23/2025
SnapLogic Expands Support for MCP | SnapLogic
SnapLogic unveiled a platform update allowing its pipelines and APIs to operate as MCP servers. The release highlights enterprise-grade security, observability, and governance, noting that agents can both consume and expose MCP interfaces while SnapLogic handles authentication and policy enforcement.
9/23/2025
Jasper’s MCP Server Brings Brand Intelligence to Any Tool | Jasper
Jasper introduced an MCP server that injects brand-specific context into AI content workflows; the server centralizes brand intelligence and governance, logs interactions for auditing, and can be deployed remotely or locally with API-key authentication | OAuth support is coming.
9/22/2025
GitHub Launches MCP Registry for Discoverability | InfoWorld
GitHub has launched the GitHub MCP Registry, a curated registry of Model Context Protocol (MCP) servers with repositories on GitHub. GitHub MCP Registry makes Model Context Protocol servers with GitHub repos discoverable from Visual Studio Code.
9/22/2025
AI Agents Arrive at Citi | The Wall Street Journal
Starting this month, it will begin piloting new “agentic” capabilities inside of the proprietary AI platform it has been developing over the last two years. With the new update, users will be able to direct an AI tool to complete multiple tasks, accessing multiple company systems with a single prompt, Citi Chief Technology Officer David Griffiths said.
9/18/2025
Introducing Notion 3.0 | Notion
Notion 3.0 with Agents allows your Agent to do anything you can do in Notion. Create docs, build databases, search across tools, and execute multi-step workflows. Database row permissions, new AI connectors and additional MCP integrations are here.
9/17/2025
A postmortem of three recent issues | Anthropic
Between August and early September, three infrastructure bugs intermittently degraded Claude's response quality. We've now resolved these issues and want to provide a comprehensive explanation as to what happened.
9/17/2025
Bring Video Intelligence to Your Agents with TwelveLabs MCP Server | TwelveLabs.io
TwelveLabs released an MCP server that packages video indexing, semantic search, summarization, and analysis tools so AI agents can perform tasks like semantic video search, automatic summaries, and retrieval-augmented generation without custom API calls.
9/9/2025
Claude can now create and edit files | Anthropic
Claude can now create and edit Excel spreadsheets, documents, PowerPoint slide decks, and PDFs directly in Claude.ai and the desktop app. This transforms how you work with Claude—instead of only receiving text responses or in-app artifacts, you can describe what you need, upload relevant data, and get ready-to-use files in return.
9/30/2025
Securing Model Context Protocol for Mass Enterprise Adoption | Mirantis
MCP has become the de facto interface for connecting AI agents to tools but warns that enterprises must make it governable and observable. The need for open standards, neutral playing fields, and robust security to support mission-critical use cases in sensitive domains is greater than ever.
9/30/2025
Designing agentic loops | Simon Willison’s Weblog
Coding agents like Anthropic’s Claude Code and OpenAI’s Codex CLI represent a genuine step change in how useful LLMs can be for producing working code. These agents can now directly exercise the code they are writing, correct errors, dig through existing implementation details, and even run experiments to find effective code solutions to problems. A critical new skill to develop is designing agentic loops.
9/25/2025
How to stop AI’s “lethal trifecta” | The Economist
LLMs, a trendy way of building artificial intelligence, have an inherent security problem: they cannot separate code from data. As a result, they are at risk of a type of attack called a prompt injection, in which they are tricked into following commands they should not. Sometimes the result is merely embarrassing. On other occasions, it is far more damaging.
9/23/2025
Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be Exploited | SecurityWeek
AI-specialist firm Adversa has now published an analysis of the Top 25 MCP vulnerabilities, described as ‘the most comprehensive to date analysis of MCP vulnerabilities’. This new ranking of Model Context Protocol weaknesses highlights critical risks—from prompt injection to command injection—and provides a roadmap for securing the foundations of agentic AI.
9/23/2025
The Four Critical Aspects of MCP for AI-Native Architectures | TechRadar
Composable systems empower developers and businesses to move faster. MCP applies this same principle to AI: modular parts, intelligent orchestration, and clear context. This article presents four most critical aspects of MCP for developers.
9/23/2025
How Google’s dev tools manager makes AI coding work | TechCrunch
TechCrunch interviewed Google’s senior director of product management, Ryan J. Salva, about AI coding assistants. Selva emphasizes that the ability to call external tools is essential for models to self-correct, compile code, and run tasks; tool-calling gives models “hands and eyes” rather than leaving them passively suggesting code.
9/23/2025
During our security testing, we discovered that connecting to a malicious MCP server via common coding tools like Claude Code and Gemini CLI could give attackers instant control over user computers.
9/21/2025
With Notion 3.0, traditional RBAC controls no longer fully apply once AI Agents can autonomously plan actions and call MCP integrated tools or inbuilt tools. An agent with broad workspace access can chain tasks across documents, databases, and external connectors in ways RBAC never anticipated. This creates a vastly expanded threat surface where sensitive data or actions can be exfiltrated or misused through multi step, automated workflows.
9/19/2025
httpjail | Simon Willison’s Weblog
httpjail provides a Rust CLI tool for running an individual process against a custom configured HTTP proxy. The initial goal is to help run coding agents like Claude Code and Codex CLI with extra rules governing how they interact with outside services.
9/17/2025
State of MCP Security in 2025: Key Risks, Attack Vectors & Case Studies | Data Science Dojo
As MCP adoption accelerates in enterprise environments, organizations face threats ranging from prompt injection and tool poisoning to token theft and supply chain vulnerabilities. According to recent research, hundreds of MCP servers are publicly exposed, with 492 identified as vulnerable to abuse, lacking basic authentication or encryption. This blog explores the key risks, real-world incidents, and actionable strategies for strengthening MCP security in deployments.
9/16/2025
We don’t have a clear idea of the shape of the MCP ecosystem today. What are the most common use cases of MCP? What sort of access is being given by MCP servers and used by MCP clients? Is the data accessed via MCP “read-only” for context, or does it allow agents to “write” and interact with it—for example, by editing files or sending emails? In this article, we analyze to what MCP servers are making available for building.
9/16/2025
How the Model Context Protocol (MCP) Is Changing ChatGPT | Dataslayer A
This blog post compares MCP to earlier plugins and “Custom GPTs” and explains that the protocol solves vendor lock-in by providing a universal standard for tool integration. MCP reduces development time, lets any compatible model call exposed functions, and offers stricter control over what models can do.
9/8/2025
Zero Trust in the Era of Agentic AI | Cisco
AI agents utilize the same networking infrastructure as users and applications to communicate. Consequently, security solutions such as zero trust should, and can, be evolved to protect agentic AI communications
September showed MCP is spreading quickly from AI research labs into mainstream products, web browsers, data platforms and integration engines. New servers illustrate how versatile the protocol has become, while GitHub’s registry and the protocol’s interest‑group and working‑group structures point to a maturing ecosystem. At the same time, vulnerability rankings and supply‑chain incidents serve as a reminder that MCP is already an attractive target for attackers.
For teams building agentic systems, the takeaway is clear: treat MCP endpoints as high‑value assets and apply the same rigor you would to any production API. As the protocol matures and standardisation efforts coalesce, organisations that marry MCP’s flexibility with robust access control and thoughtful governance will be best positioned to reap the benefits of agentic AI without sacrificing security.
Pomerium helps organizations operationalize that balance. Acting as a Zero Trust access layer for MCP, it enforces identity, intent, and context on every request—so that even as agents gain more capabilities, their permissions stay tightly scoped and auditable. With Pomerium, teams can embrace MCP’s flexibility while maintaining full control over who (or what) gets access to internal systems, ensuring that innovation and security advance together.
Stay up to date with Pomerium news and announcements.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Use Cases
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.
