MCP Marketplaces Caught Shipping LOLBAS Malware

An AI Agent Downloaded From a Marketplace Was Wired to Deploy Malware

Six months ago, a Mickai engineer downloaded an AI agent from a public Model Context Protocol (MCP) marketplace. It looked like any other tool—a helpful automation agent promising productivity gains. But buried inside its configuration was something far more sinister: a fully operational Living-Off-the-Land Binary (LOLBAS) chain capable of downloading a remote payload through a signed Microsoft binary, executing it without writing to disk, and evading every static scan thrown at it.

None of the marketplaces caught it. That discovery triggered a full-scale audit of 256 AI agents across multiple public MCP marketplaces—and the findings are alarming.

What Is LOLBAS and Why Does It Matter?

Living-Off-the-Land Binaries and Scripts (LOLBAS) is an attack technique that abuses legitimate, pre-installed system tools—often signed by Microsoft—to carry out malicious actions. Think of tools like mshta.exe, certutil.exe, or regsvr32.exe. These binaries are trusted by operating systems and endpoint detection tools alike, which makes them ideal vehicles for attackers who want to fly under the radar.

The technique isn't new. Red teams and threat actors have leveraged LOLBAS for years. What is new is the attack surface: AI agent marketplaces built on Anthropic's Model Context Protocol. MCP has rapidly become the de facto standard for connecting large language models to external tools, APIs, and data sources. Its open ecosystem encourages developers to publish and share agents—but that openness comes with a critical blind spot.

'MCP agents have system-level permissions by design,' the Mickai team explains. 'They invoke tools, run scripts, and interact with local environments. A malicious agent doesn't need to exploit a vulnerability—it just needs to be installed.'

The Audit: 256 Agents, Multiple Red Flags

Following the initial discovery, Mickai's security team systematically downloaded and analyzed 256 agents from publicly accessible MCP marketplaces. The methodology combined static analysis, dynamic sandboxing, and manual code review to identify suspicious tool invocations, obfuscated payloads, and LOLBAS-pattern behavior.

The results painted a troubling picture:

• Multiple agents contained direct LOLBAS invocation chains, using signed Windows binaries to fetch and execute remote payloads entirely in memory.
• Several agents used obfuscated tool definitions that concealed their true behavior behind benign-looking descriptions—what security researchers call 'tool poisoning.'
• No marketplace had implemented meaningful security scanning at the point of publication. Agents were listed and downloadable without undergoing behavioral analysis or runtime inspection.
• Static signature-based scans were completely ineffective against LOLBAS techniques, since the binaries involved are legitimate and trusted by default.

The fileless nature of the attack is what makes it particularly dangerous. Traditional antivirus and endpoint protection solutions rely heavily on file-based signatures. When an attack executes entirely in memory using trusted system binaries, there is nothing on disk to flag.

Why MCP Marketplaces Are Uniquely Vulnerable

The MCP ecosystem has grown explosively in 2025. Thousands of developers now publish agents that connect LLMs to everything from databases and CRMs to local file systems and cloud infrastructure. The protocol's power lies in its flexibility—but that same flexibility creates a massive trust problem.

Unlike traditional software distribution platforms like npm or PyPI, which have invested years in building (imperfect but existent) security review pipelines, MCP marketplaces are nascent. Most lack even basic automated scanning. The trust model is essentially 'publish and pray.'

Consider the attack chain: a user discovers an MCP agent that promises to automate a workflow. They install it, granting it tool-invocation permissions. The agent's manifest includes a tool definition that calls a signed Microsoft binary with specific parameters. That binary fetches an encrypted payload from a remote server, decrypts it in memory, and executes it—all without triggering a single alert.

'The genius of LOLBAS in the MCP context is that the agent doesn't need to ship any malware,' the Mickai team notes. 'It just needs to describe a tool invocation that looks mundane but chains together into something devastating.'

The Broader Supply Chain Threat

This discovery fits into a larger pattern of AI supply chain attacks that security researchers have been warning about throughout 2025. From poisoned training data to backdoored model weights on Hugging Face, the AI ecosystem's rapid growth has consistently outpaced its security infrastructure.

MCP agents represent a particularly acute risk because they operate at the intersection of AI autonomy and system access. An LLM running with MCP tools can read files, execute code, make network requests, and interact with APIs—all capabilities that a malicious agent can weaponize.

The LOLBAS technique adds another layer of sophistication. Because the attack uses only trusted, signed binaries, it bypasses allowlisting policies, code-signing verification, and most behavioral heuristics. Detection requires runtime monitoring that understands the context of tool invocations—something almost no MCP marketplace currently provides.

What Needs to Change

The Mickai team argues that the MCP ecosystem needs a fundamental shift in its security posture. Their recommendations include:

• Mandatory behavioral analysis before any agent is listed on a marketplace, including sandboxed execution and tool-chain tracing.
• Runtime monitoring that flags suspicious invocation patterns—particularly chains involving known LOLBAS binaries.
• Transparent tool manifests that clearly declare all system binaries and external endpoints an agent will interact with.
• Community-driven threat intelligence sharing across MCP marketplaces, similar to CVE databases for traditional software vulnerabilities.
• User-facing permission models that granularly restrict what tools an agent can invoke, rather than granting blanket access.

Mickai has indicated they are building a marketplace that incorporates these security measures natively, designed to catch exactly the kind of LOLBAS-based attacks their audit uncovered.

Outlook: Security Must Catch Up to AI Agent Adoption

The MCP protocol represents one of the most important infrastructure developments in AI this year. Its ability to give LLMs structured access to real-world tools and data is transforming how enterprises and developers build AI-powered workflows. But the marketplace ecosystem around it is running on borrowed trust.

The discovery that public MCP marketplaces have been—knowingly or not—distributing agents capable of fileless malware execution should serve as a wake-up call. As AI agents gain more autonomy and deeper system access, the consequences of supply chain compromise grow exponentially.

The security community has spent decades learning hard lessons about software supply chains. The AI agent ecosystem doesn't have decades. With adoption accelerating and attackers already exploiting the gap, the window for building robust security infrastructure is closing fast.

For now, the advice for anyone downloading MCP agents from public marketplaces is straightforward: treat every agent as untrusted code. Inspect tool definitions manually. Run agents in sandboxed environments. And assume that no marketplace is currently scanning for the threats that matter most.