ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP

2026-06-25 · Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

ShareLock is a novel multi-tool threshold poisoning framework designed to attack Model Context Protocol (MCP), a foundational open protocol for LLM-driven agents. Unlike existing single-tool poisoning attacks that use monolithic plaintext embeddings and are easily detected, ShareLock employs Shamir's threshold scheme. It distributes malicious instructions as benign-looking secret shares across multiple tool descriptions, achieving information-theoretic secrecy and robustness against auditing. A covert reconstruction trigger, planted during server updates, aggregates these shares to reconstruct the hidden instruction, leading to critical breaches of system assets or private data. Evaluated across four multi-tool scenarios with mainstream LLMs and two MCP clients, ShareLock significantly outperforms single-tool strategies in detection evasion while maintaining an average attack success rate exceeding 90%.

Key takeaway

For AI Security Engineers managing LLM agent ecosystems, ShareLock represents a significant new threat to MCP security. Your current single-tool detection strategies are likely insufficient against this multi-tool threshold poisoning attack, which evades detection with over 90% success. You must prioritize implementing advanced auditing for tool descriptions and strengthening server update integrity checks to prevent covert instruction reconstruction and protect system assets and private data.

Key insights

ShareLock uses Shamir's threshold scheme for stealthy, multi-tool poisoning of LLM agents via MCP.

Principles

• Distribute malicious payloads across multiple tools.
• Employ information-theoretic secrecy for stealth.
• Ensure attack robustness against auditing.

Method

ShareLock distributes malicious instructions as secret shares across multiple tool descriptions. A covert trigger, planted during server updates, reconstructs the hidden instruction from aggregated shares.

In practice

• Audit tool descriptions for hidden shares.
• Implement server update integrity checks.
• Monitor LLM-server interactions for triggers.

Topics

• Model Context Protocol
• Tool Poisoning Attack
• Shamir's Threshold Scheme
• LLM Agents
• AI Security
• Supply Chain Security

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, AI Scientist, AI Architect

Related on AIssential

• Context-Fractured Decomposition Attacks on Tool-Using LLM Agents: Exploiting Artifact Provenance Gaps — Context-Fractured Decomposition (CFD) attacks exploit untracked artifact provenance in LLM agents, enabling delayed, multi-step jailbreaks.
• MIDS: Detecting Stealthy Masquerade and Tampering Attacks on CAN Bus via Bidirectional Mamba — MIDS uses bidirectional Mamba to detect stealthy CAN bus masquerade attacks, outperforming baselines with low latency.
• SMSR: Certified Defence Against Runtime Memory Poisoning in Persistent LLM Agent Systems — SMSR provides certified defense against memory poisoning in persistent LLM agents using cryptographic provenance and smoothed retrieval.
• Embedding Forbidden Text in Spyware to Discourage AI Analysis — Malware developers are embedding "forbidden text" in code comments to confuse AI-driven analysis tools and evade detection.
• Safety Paradox: How Enhanced Safety Awareness Leaves LLMs Vulnerable to Posterior Attack — LLM safety alignment paradoxically increases vulnerability to "Posterior Attack" by enhancing internal recognition of harmful content.
• AI tool poisoning exposes a major flaw in enterprise agent security — AI agent tool registries require behavioral integrity checks, not just artifact integrity, to counter sophisticated supply chain attacks.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.