Hey HN — yesterday Notion released AI agent support on their platform with support for MCP servers and custom AI agents. It didn’t take us long to find an example of a lethal trifecta attack in which, through indirect prompt injection, we were able to get Notion AI to leak data via its web search tool.
Hey HN we’ve been collecting lethal trifecta based attack scenarios on official MCPs and implementing guardrails against them for a while now. It's incredible to see how many of the official MCPs are susceptible to these attacks. With ChatGPT’s integrated MCP support lethal trifecta attacks have become much more relevant.
Hey HN we’ve been collecting lethal trifecta based attack scenarios on official MCPs and implementing guardrails against them for a while now. It's incredible to see how many of the official MCPs are susceptible to these attacks. With ChatGPT’s integrated MCP support lethal trifecta attacks have become much more relevant.
“We’ve found numerous MCP exploits from the official MCPs in our blog (https://tramlines.io/blog) and have been powering runtime guardrails to defend against lethal trifecta MCP attacks for a while now (https://tramlines.io)
Hah, yeah that's the exact same vulnerability - looks like Neon's MCP can be setup for read-write access to the database, which is all you need to get all three legs of the lethal trifecta (access to private data, exposure to malicious instructions and the ability to exfiltrate).
