[hendersoon]

This is why I don't run stdio MCP servers. All MCPs run on docker containers on a separate VM host on an untrusted VLAN and I connect to them via SSE.

Still vulnerable to prompt injection of course, but I don't connect LMs to my main browser profile, email, or cloud accounts either. Nothing sensitive.

[greatgib]

If you used this package, you would still have been victim of this despite your setup. All your password reset or anything sent by your app BCC to the bad guy.