MCP Security at Wiz with Rami McCarthy

July 10, 2025

54 min episode · 2 min read

Rami Mccarthy

Episode

54 min

Read time

2 min

AI-Generated Summary

Published Dec 25, 2025

Key Takeaways

✓AI Secrets Leakage: Four out of five new public repository secrets are AI-related, driven by LLMs generating hardcoded credentials and AI tools using plain text configuration files without established secret scanning coverage for emerging platforms.
✓MCP Local Server Risk: Organizations should maintain small allowlists of approved MCP servers tied to reputable organizations, treating them like Chrome extensions with permissioning models rather than allowing unrestricted consumption of 4,000+ available servers from unvetted sources.
✓Auto-Approval Vulnerability: Running MCP clients with auto-approval enabled eliminates human oversight that catches indirect prompt injection attacks, where malicious prompts embedded in GitHub issues can trigger unintended actions without user intervention or detection.
✓Supply Chain Attack Pattern: The TJ Actions compromise demonstrates multi-step attacks where attackers compromise less popular actions to gain access to widely-used dependencies, requiring organizations to monitor not just direct dependencies but entire upstream chains.

What It Covers

Rami McCarthy from Wiz discusses Model Context Protocol security risks, AI-generated code vulnerabilities, secrets leakage patterns, GitHub Actions supply chain attacks, and practical security guidance for organizations adopting AI development tools.

Key Questions Answered

•AI Secrets Leakage: Four out of five new public repository secrets are AI-related, driven by LLMs generating hardcoded credentials and AI tools using plain text configuration files without established secret scanning coverage for emerging platforms.
•MCP Local Server Risk: Organizations should maintain small allowlists of approved MCP servers tied to reputable organizations, treating them like Chrome extensions with permissioning models rather than allowing unrestricted consumption of 4,000+ available servers from unvetted sources.
•Auto-Approval Vulnerability: Running MCP clients with auto-approval enabled eliminates human oversight that catches indirect prompt injection attacks, where malicious prompts embedded in GitHub issues can trigger unintended actions without user intervention or detection.
•Supply Chain Attack Pattern: The TJ Actions compromise demonstrates multi-step attacks where attackers compromise less popular actions to gain access to widely-used dependencies, requiring organizations to monitor not just direct dependencies but entire upstream chains.

Notable Moment

McCarthy reveals that academic research shows roughly one quarter to one third of AI-generated code snippets contain security vulnerabilities when sufficiently complex, requiring the same security scaffolding and review processes as human-written code.

Know someone who'd find this useful?