Recent internet-wide scanning activities have revealed that threat actors are actively probing for Model Context Protocol (MCP) servers, AI assistant configuration files, and exposed local language-model services. This widespread reconnaissance indicates a growing interest in exploiting vulnerabilities within AI infrastructures.
Analysts at the Internet Storm Center identified approximately 200 requests related to AI-agent reconnaissance over a two-week period. These probes originated from 49 distinct IP addresses and targeted low-traffic websites that seemingly lacked AI infrastructure. This pattern suggests a broad, opportunistic scanning campaign rather than a focused attack on specific organizations or developers.
Targeting MCP Servers
Notably, the scanning activity involved sending valid MCP initialization requests, utilizing correctly formed JSON-RPC messages to initiate MCP conversations. This method allows attackers to determine if a reachable service functions as an MCP server. A positive response could enable them to identify available tools, connected data sources, and the actions permitted for the AI agent.
MCP servers often grant AI agents access to critical resources such as databases, internal APIs, file systems, and ticketing tools. If exposed without proper authentication, these servers can provide unauthorized users with a comprehensive, machine-readable map of accessible services and data. The distributed nature of these probes, emanating from multiple IP addresses, indicates a large-scale scanning effort aimed at identifying vulnerable deployments.
Risks to Credentials and AI Models
In addition to MCP servers, the scanning activity targeted files associated with AI coding assistants, including configuration and credential files that developers might inadvertently place in public web directories. These files can contain sensitive information such as connection details, service settings, and API keys, which, if exposed, could be exploited by malicious actors.
Organizations are advised to review access logs for any suspicious MCP-related traffic. Systems not utilizing MCP should treat such requests as potential reconnaissance attempts and implement appropriate blocking measures. For those operating MCP servers, it is crucial to enforce strong authentication protocols and restrict public internet access unless absolutely necessary. Limiting network exposure reduces the likelihood of unauthorized discovery and exploitation of these services.
This surge in scanning activities underscores the importance of securing AI infrastructures. As AI systems become more integrated into business operations, they present new attack vectors for cybercriminals. Proactive measures, including regular security audits, strict access controls, and continuous monitoring, are essential to safeguard sensitive data and maintain the integrity of AI deployments.