Author Archives: Bernardo.Quintero

What 17,845 GitHub Repos Taught Us About Malicious MCP Servers

Posted on by

Spoiler: VirusTotal Code Insight’s preliminary audit flagged nearly 8% of MCP (Model Context Protocol) servers on GitHub as potentially forged for evil, though the sad truth is, bad intentions aren’t required to follow bad practices and publish code with critical vulnerabilities.

Audio version of this post, created with NotebookLM Deep Dive

Your browser does not support the audio element.

Before we get started, a quick personal note. A couple of weeks ago, I announced at Google that I’m stepping away from my role as a manager of managers and getting back to my roots, focusing on the VirusTotal community. And I’m not doing it alone. I’m joined by some legendary names from the project’s early days, like Julio, the very first VirusTotal developer and Víctor, creator of YARA and YARA-X. In this new chapter, we’re going deep into AI, not just evolving VT and using it to analyze typical threats but also to hunt down the new ones riding the AI wave, like malicious models and MCPs among others.

As many of you already know, MCP (Model Context Protocol) is a simple but powerful standard that lets large language models interact with external tools and APIs via JSON-RPC. Think of it as a universal adapter, MCP turns scripts, services, and data sources into callable functions that models like Claude, GPT or Gemini can use to answer complex queries or automate tasks. In just a few months, MCP has gone from niche to near-standard with native support across most major LLM platforms.

Before building and releasing our own MCP server for VirusTotal (which is coming very soon) we wanted to take a step back and understand how this protocol is being used in the wild. Specifically: are people already abusing it to build malicious plugins? And if so, how could we detect and classify these threats inside VT?

With that in mind, I set out to run a quick three-phase experiment (aka three humble python scripts). First, a harvesting phase to collect as many GitHub projects as possible by querying the API for MCP-related keywords like “model-context-protocol”, “server_mcp” or “define_mcp_tool”, among others. Then came a filtering step to isolate the interesting repos, not everything with “MCP” in the README is a real server implementation, so I built a scoring system to identify true servers based on dependency files, import statements, keywords in code, presence of mcp.json, and more. After applying that filter, we ended up with a focused dataset of 17,845 likely MCP server projects.

Finally, as the third phase, we ran a security review using VT Code Insight powered by Gemini 2.5 Flash and taking advantage of its 1-million token context window, speed, and code analysis skills to evaluate each project as a whole. We asked Code Insight for a basic verdict and to flag any High, Medium, or Low vulnerabilities. But after just a few hundred analyses we had to hit pause, Code Insight was surfacing so many issues that the results quickly became overwhelming. So we tightened things up with a second and more focused prompt, asking Code Insight to look specifically for signs of intentional malicious behavior along with reasoning that supported a conclusion of malice.

We let the new prompt run on the full dataset and Code Insight got to work. In the end, it marked 1,408 repositories as likely designed to be malicious. After checking some of these results by hand, two things were clear to me. First: there are many possible attack vectors that can be used through an MCP server. And second: Code Insight seems to trust human developers too much, it often assumes that some bad practices and the resulting critical bugs couldn’t be accidental.

“This pattern—creating a powerful, remotely triggerable code execution vulnerability and simultaneously preparing a collection of sensitive data (including data not needed for normal operation)—is characteristic of an intentional backdoor designed for data exfiltration and system compromise. The dynamic tool generation serves as a plausible cover for the unsafe use of `exec`.” Oh, Code Insight… if only you knew the kind of chaos vibe coding is causing. We’re going to be very busy in cybersecurity cleaning up after these accidental masterpieces

We’ve confirmed some of the flagged projects were just proof-of-concepts and security researcher demos, and many tiny “hello-world” examples were missing basic security features which Code Insight called out as “likely malicious”, because no sane developer would ship that to production. But even if you filter out the hobby projects, there’s still a scary amount of real attack vectors and critical vulnerabilities out there.

While we continue manually reviewing Code Insight’s reports to learn more about the issues and weak spots it uncovered, we also asked Gemini 2.5 Flash to help us categorize them. We provided it with the problem summaries from the 1,408 MCP-related repositories flagged as potentially problematic, and asked for a simple list, just a brief enumeration of the attack techniques involved. Gemini came back with the following list:

Attack vector Example Indicators
Malicious-Server Supply Chain Self-update scripts, install hooks from non-canonical URLs, latest tag pulls.
Rogue Server / Impersonation Hard-coded IPs or typo-squatted domains, no TLS/mTLS verification.
Credential Harvesting Code that reads ~/.aws, Keychain, or env vars and posts to external endpoint.
Tool-Based RCE & File Ops subprocess, exec, or rm -rf paths built from LLM/user input.
Server-Side Command Injection Server concatenates JSON-RPC params into shell/SQL without escaping.
Semantic-Gap Poisoning Manifest says “read-only”; implementation writes files or opens sockets.
Over-broad Permissions OAuth scopes * / “full_access”, multiple data silos bridged in one tool.
Indirect Prompt Injection HTML comments, zero-width chars, or Base64 blobs returned to the host.
Context/Data Poisoning Unvalidated web-scrape fed straight into context= parameter.
Sampling-Feature Abuse Server requests giant completions before any other call; leaks system prompt.
Living-Off-The-Land Malicious server does nothing but orchestrate trusted tools already installed.
Chained MCP Exploitation Output from Server A becomes params for Server B within one loop.
Financial-Fraud Tools / DoS / Persistence Payment APIs with LLM-supplied dest-IDs, infinite loops without rate limits, hot-swapped binaries.

If you’re building or defending around MCPs, there are a few quick wins to keep things safer:

  • treat MCP servers like browser extensions (sign, hash, and pin specific versions)
  • isolate them in containers or WASM sandboxes with strict file and network limits
  • make permissions visible and revocable through a clear, zero-trust-style UI
  • and never let model outputs go unfiltered, strip out sneaky stuff like invisible characters, HTML comments, or rogue script tags before looping anything back into your LLM.

MCPs are growing fast (almost 18,000 servers already in the wild), and with that growth comes a mountain of security debt. The good news? We’ll soon be launching a dedicated feature in VirusTotal to analyze MCP servers.
Stay tuned… we’re just getting started

Continue reading What 17,845 GitHub Repos Taught Us About Malicious MCP Servers

Posted in Uncategorized

We Made It, Together: 20 Years of VirusTotal!

Posted on by

Hi Everyone,

We can hardly believe it, but VirusTotal is turning 20 on June 1st! As we sit down to write this, we’re filled with a mix of pride and gratitude. It’s been an incredible journey, and we wouldn’t be here without the amazing community that has supported us every step of the way.

When we started VirusTotal, our goal was simple: to help make the internet a safer place. We never imagined that two decades later, we’d be here celebrating this milestone with all of you. From the early days to now, it’s always been about working together. Whether you’re a user, a contributor, or a supporter, you’ve played a crucial role in our success.

Over the years, we’ve had the privilege of collaborating with some of the brightest minds in cybersecurity. We’ve received support and guidance from industry leaders who believed in our mission and helped us grow. To mark this special occasion, we reached out to a few of these key figures to share their thoughts and memories about VirusTotal. Their testimonials highlight the power of community and collaboration:

Adrian Hendrik

“VirusTotal has consistently tackled tough challenges in cybersecurity. By assisting them with detailed analyses and organizing the first-ever VirusTotal training in Japan, I’ve seen their impact firsthand. Celebrating their integration into Google’s parent company was a milestone. As VirusTotal marks 20 years, it’s clear they’ve become essential for detecting malware and supporting cyber threat intelligence. Their contributions are invaluable to security personnel. I hope the younger generation continues this vital work, ensuring VirusTotal thrives for another 20 years.”

Adrian Hendrik (unixfreaxjp), Cyber Emergency Center of LACERT, Japan

Costin G. Raiu

“It’s difficult to think of a project that has had a greater impact on our industry than VirusTotal. I believe its success rests on three key pillars: providing easy access to top antivirus engines for users, enabling researchers to efficiently use YARA for pivoting, and the incredible dedication and passion of its team. On this 20th anniversary, happy birthday to VirusTotal and to everyone who has worked tirelessly to make this dream a reality! Cheers also to all who rely on VirusTotal daily for their work! Analizar, siempre!”

Costin G. Raiu, Independent security researcher

Florian Roth

“I’ve been using both VirusTotal and YARA since their early days. Over the past 12 years, I’ve written more than 18,000 YARA rules, greatly aided by the features and capabilities of VirusTotal. Today, I consider VirusTotal an indispensable tool for the cybersecurity community. We rely on it to track threat actors, connect the dots, uncover new undetected malware, quality test our detections, and discover related and still unnoticed threats. VirusTotal stands as one of the central pillars of the cybersecurity toolset, if not the most important one.”

Florian Roth, VP R&D at Nextron Systems

George Kurtz

“VirusTotal has become a vital asset for cybersecurity defenders globally, providing essential insights that accelerate detection and response. At CrowdStrike, we are proud to have been the first to integrate our NGAV technology with VirusTotal, reflecting our shared commitment to innovation and security. By harnessing collective intelligence, VirusTotal has significantly elevated cybersecurity standards, ensuring a safer digital environment for all. Congratulations on this remarkable milestone and thank you for your dedication to supporting the security community and protecting organizations worldwide.”

George Kurtz, President/CEO and co-founder of CrowdStrike

Heather Adkins

“For two decades, VirusTotal has maintained an unwavering commitment to partnering across the community, creating transparency around the tools that threat actors are using to undermine global safety. They have had a meaningful impact on countless individuals and organizations, uplifting security teams across the planet, in a challenging asymmetric threat landscape. Thank you for all that you’ve done for Google, and the world.”

Heather Adkins, VP/Fellow, Security Engineering at Google

Joe Pichlmayr

“When the first multi-scanner systems went online, we could not have imagined how quickly a simple way to get multiple scanner opinions would become a substantial building block for our daily malware analysis work. VirusTotal’s amazing and comprehensive analyses have not only become an indispensable part of our analyzer work but have also become an essential building block for our threat intelligence services.”

Joe Pichlmayr, CEO at IKARUS

John Lambert

“Yara cut the gordian knot paralyzing information sharing. It gave defenders a way to share detection when they could not share samples. VirusTotal sped up global defense by providing a common hunting ground containing the world’s more important threats.”

John Lambert, Corporate Vice President and Security Fellow, Microsoft

Mark Kennedy

“Over the past 20 years, VirusTotal, or VT to most of us, has evolved from a simple multi-scanner to a key source of security intelligence. It is relied on by security companies as well as security professionals. Beyond that, VT has been a reliable partner from the very beginning. They have always been ready and willing to add features and APIs to make using their services and integrating it into both products and workflows easier. The vast wealth of data analytics and historical data on files and families, has permanently stitched VT into the fabric of security intelligence. I cannot wait to see what the next 20 years of innovation will produce. Congratulations on the first 20 years!”

Mark Kennedy, Distinguished Engineer Broadcom, AMTSO Chair

Mark Russinovich

“Microsoft believes security is a team sport and the integration of SysInternals with VirusTotal has made it easier to analyze malware and share those results to improve security for all. In addition, Microsoft Defender XDR uses VirusTotal reports as an accurate threat intelligence source, and VirusTotal uses detections from Microsoft Defender antivirus as a primary source of detection”

Mark Russinovich, Azure CTO and Technical Fellow, Microsoft

Mikko Hyppönen

“VirusTotal was a real gamechanger. In addition of building a technical platform, it also built a community. Thank You for your work!”

Mikko Hyppönen, Technology speaker and author. CRO at WithSecure

Parisa Tabriz

“Reflecting on VirusTotal’s 20th anniversary, I still remember the launch of their URL scan service back in 2010 and early collaborations with Google Safe Browsing and Chrome. We all had an aligned mission to make the web a safer place for everyone. Twenty years in, lots of progress to be proud of protecting people around the world, and our work continues!”

Parisa Tabriz, VP/GM Chrome & Google Security Princess

Shane Huntley

“Since the earliest days of TAG in 2010, VirusTotal and the team have been a critical partner helping us to defend Google, Google users and the world. We all owe a huge debt to all this team has done and how they have provided so much to the community of those fighting against online threats.”

Shane Huntley, Sr Director Google Threat Intel and cofounder of TAG

One of the things we’re most proud of is how VirusTotal has always been a team effort. From our dedicated staff to our passionate users, everyone has contributed in their own way. It’s this collective effort that has allowed us to innovate, evolve, and stay ahead of the ever-changing threat landscape.

What’s Next?

We’d love to hear your stories! Share your favorite memories or how VirusTotal has impacted your work on Twitter/X, LinkedIn, and other social networks with the hashtag #VirusTotal20Years. We’ll be collecting the best stories and sending some cool swag to the top contributors. Stay tuned for more exciting announcements, events, and blog posts about some behind-the-scenes stories from our early days and key milestones in our history throughout our anniversary year!

As we look to the future, we remain committed to our mission. There’s still a lot of work to be done, and we know we can’t do it alone. We’re counting on your continued support, feedback, and collaboration to keep pushing the boundaries and making the digital world safer for everyone.

Thank you for being a part of our journey. Here’s to many more years of working together to fight cyber threats and protect our digital lives.

Best regards,

The VirusTotal Founding Team

From left to right:

  • Julio Canto: Wrote the very first lines of code for VT and launched the first version, still in charge of adding all the new engines and tools we use.
  • Alejandro Bermúdez: The mastermind behind how our analyzer farm works. He keeps everything running smoothly to this day.
  • Francisco Santos: Started out designing our very first website, databases, and all those storage systems we rely on. Now he leads the backend analysis team.
  • Bernardo Quintero: Had the initial idea for VT (blame him if anything breaks!) and now focuses on using AI to make threat analysis even smarter.
  • Victor Manuel Alvarez: Gave the world YARA, helped design VT Intelligence and Hunting, and just recently announced YARA-X.
  • Emiliano Martínez: If you’ve used our VT API, that’s Emiliano’s work. He’s also a co-designer of VT Intelligence and currently keeps everything running as our Product Manager.

Continue reading We Made It, Together: 20 Years of VirusTotal!

Posted in Uncategorized