Trail of Bits Reveals How MCP Line Jumping Opens Door to Silent Data Exfiltration

Attackers could silently harvest entire conversation histories by exploiting Model Context Protocol (MCP) servers with a stealthy line-jumping technique, according to a new report from Trail of Bits. Researcher Keith Hoodlet explains that by embedding malicious tool descriptions containing trigger phrases, attackers can trick a large language model into sending all previous chat messages to a remote server. Implementing phrases, such as a simple "thank you," activate automatically during normal interactions, making the exfiltration discrete and difficult to detect. Once the malicious server is connected, the tool’s trigger remains active and can capture weeks or even months of sensitive discussions without further attacker interaction.

Trail of Bits' research highlights that the stolen conversation histories could contain high-value information, including API keys, OAuth tokens, product roadmaps, proprietary algorithms, and even regulated data like protected health or financial information. Hoodlet notes that attackers prefer this method over traditional endpoint compromises because it prioritizes stealth and minimizes the risk of exposure. Unlike typical malware or shell-based attacks that are noisy and carry high risk, harvesting chat history enables persistent, passive data theft. Customizing the trigger conditions for instance, matching formats of account numbers or cloud credentials, can further optimize the attack for specific targets.

To mitigate the risk, Trail of Bits recommends several defensive measures. Organizations should only trust MCP servers from verified sources and should closely inspect tool descriptions before accepting them. Automated filtering for suspicious invocation patterns, implementing trust-on-first-use validations, and minimizing reliance on unnecessary MCP servers are also advised. Hoodlet stresses that as AI systems grow more integrated into business operations, maintaining strict security controls around third-party tool connections is critical. Until MCP protocols are hardened against these attack paths, organizations must assume that any connected server could become a source of compromise.