{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2026:CGAISUAEVSANQECFSA2U4DGWA4","short_pith_number":"pith:CGAISUAE","schema_version":"1.0","canonical_sha256":"1180895004ac80d8104590354e0cd60724ed504c2de1c33727474cf7673b12de","source":{"kind":"arxiv","id":"2604.01905","version":2},"attestation_state":"computed","paper":{"title":"From Component Manipulation to System Compromise: Understanding and Detecting Malicious MCP Servers","license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","headline":"","cross_cats":["cs.SE"],"primary_cat":"cs.CR","authors_text":"Bihuan Chen, Susheng Wu, Xin Hu, Xin Peng, Yiheng Cao, Yiheng Huang, Zhijia Zhao, Zhuotong Zhou","submitted_at":"2026-04-02T11:22:07Z","abstract_excerpt":"The model context protocol (MCP) standardizes how LLMs connect to external tools and data sources, enabling faster integration but introducing new attack vectors. Despite the growing adoption of MCP, existing MCP security studies classify attacks by their observable effects, obscuring how attacks behave across different MCP server components and overlooking multi-component attack chains. Meanwhile, existing defenses are less effective when facing multi-component attacks or previously unknown malicious behaviors.\n  This work presents a component-centric perspective for understanding and detecti"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"2604.01905","kind":"arxiv","version":2},"metadata":{"license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","primary_cat":"cs.CR","submitted_at":"2026-04-02T11:22:07Z","cross_cats_sorted":["cs.SE"],"title_canon_sha256":"5a72ed65c92b6e1918c2e427fb1232f02829c0d2c50adfde6ce6d8a00c7a0a3c","abstract_canon_sha256":"5417d668169c624a7415de78fd91170cc985db4b653b1f9ba7c38805d253454e"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-20T01:05:12.414387Z","signature_b64":"vWw2VxaNOsBS8s//0JsfxWqe8dQORaa6q647PH3siCP7FwTOboz6a3LZLs3vfbsBePhlouayqMtTj1KMqBlABw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"1180895004ac80d8104590354e0cd60724ed504c2de1c33727474cf7673b12de","last_reissued_at":"2026-05-20T01:05:12.413572Z","signature_status":"signed_v1","first_computed_at":"2026-05-20T01:05:12.413572Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"From Component Manipulation to System Compromise: Understanding and Detecting Malicious MCP Servers","license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","headline":"","cross_cats":["cs.SE"],"primary_cat":"cs.CR","authors_text":"Bihuan Chen, Susheng Wu, Xin Hu, Xin Peng, Yiheng Cao, Yiheng Huang, Zhijia Zhao, Zhuotong Zhou","submitted_at":"2026-04-02T11:22:07Z","abstract_excerpt":"The model context protocol (MCP) standardizes how LLMs connect to external tools and data sources, enabling faster integration but introducing new attack vectors. Despite the growing adoption of MCP, existing MCP security studies classify attacks by their observable effects, obscuring how attacks behave across different MCP server components and overlooking multi-component attack chains. Meanwhile, existing defenses are less effective when facing multi-component attacks or previously unknown malicious behaviors.\n  This work presents a component-centric perspective for understanding and detecti"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2604.01905","kind":"arxiv","version":2},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2604.01905/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2604.01905","created_at":"2026-05-20T01:05:12.413696+00:00"},{"alias_kind":"arxiv_version","alias_value":"2604.01905v2","created_at":"2026-05-20T01:05:12.413696+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2604.01905","created_at":"2026-05-20T01:05:12.413696+00:00"},{"alias_kind":"pith_short_12","alias_value":"CGAISUAEVSAN","created_at":"2026-05-20T01:05:12.413696+00:00"},{"alias_kind":"pith_short_16","alias_value":"CGAISUAEVSANQECF","created_at":"2026-05-20T01:05:12.413696+00:00"},{"alias_kind":"pith_short_8","alias_value":"CGAISUAE","created_at":"2026-05-20T01:05:12.413696+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":3,"internal_anchor_count":3,"sample":[{"citing_arxiv_id":"2602.11327","citing_title":"Security Threat Modeling for Emerging AI-Agent Protocols: A Comparative Analysis of MCP, A2A, Agora, and ANP","ref_index":63,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11770","citing_title":"Behavioral Integrity Verification for AI Agent Skills","ref_index":19,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11047","citing_title":"Red-Teaming Agent Execution Contexts: Open-World Security Evaluation on OpenClaw","ref_index":7,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/CGAISUAEVSANQECFSA2U4DGWA4","json":"https://pith.science/pith/CGAISUAEVSANQECFSA2U4DGWA4.json","graph_json":"https://pith.science/api/pith-number/CGAISUAEVSANQECFSA2U4DGWA4/graph.json","events_json":"https://pith.science/api/pith-number/CGAISUAEVSANQECFSA2U4DGWA4/events.json","paper":"https://pith.science/paper/CGAISUAE"},"agent_actions":{"view_html":"https://pith.science/pith/CGAISUAEVSANQECFSA2U4DGWA4","download_json":"https://pith.science/pith/CGAISUAEVSANQECFSA2U4DGWA4.json","view_paper":"https://pith.science/paper/CGAISUAE","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2604.01905&json=true","fetch_graph":"https://pith.science/api/pith-number/CGAISUAEVSANQECFSA2U4DGWA4/graph.json","fetch_events":"https://pith.science/api/pith-number/CGAISUAEVSANQECFSA2U4DGWA4/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/CGAISUAEVSANQECFSA2U4DGWA4/action/timestamp_anchor","attest_storage":"https://pith.science/pith/CGAISUAEVSANQECFSA2U4DGWA4/action/storage_attestation","attest_author":"https://pith.science/pith/CGAISUAEVSANQECFSA2U4DGWA4/action/author_attestation","sign_citation":"https://pith.science/pith/CGAISUAEVSANQECFSA2U4DGWA4/action/citation_signature","submit_replication":"https://pith.science/pith/CGAISUAEVSANQECFSA2U4DGWA4/action/replication_record"}},"created_at":"2026-05-20T01:05:12.413696+00:00","updated_at":"2026-05-20T01:05:12.413696+00:00"}