Poisoned by Design AI SDK Defaults and the New Supply Chain Risk

Description:

MCP SDKs have moved fast. They were adopted widely and rapidly - and quietly became the trusted identity brokers inside build systems, CI pipelines, and release automation.

And that inherent trust is rarely questioned.

Until it's abused.

In this talk we'll present a real world attack path against Anthropic's AI Model Context Protocol SDK where default OAuth and browser security assumptions enable silent developer token theft. No memory corruption. No zero day. Just permissive configuration choices that turn convenience into a supply chain primitive.

By abusing cross origin OAuth endpoints and unvalidated redirect handling, a malicious website can steal a fully privileged developer token from a logged in engineer with a single page visit. From there, the attacker gains access to source repositories, CI pipelines, and automated signing workflows that treat the stolen identity as legitimate.

The result is a clean supply chain compromise. Malicious code is committed, built, signed, and distributed through trusted update channels without triggering traditional security controls. And the irony is - everything works exactly as designed.

This lab will walk attendees through the full exploit chain from browser based token exfiltration to signed artifact distribution. It connects modern AI tooling, agent driven automation, and OAuth trust boundaries into a single attack surface that many organizations are already running in production.