cd /news/ai-agents/scanners-are-hunting-mcp-servers-and… · home topics ai-agents article
[ARTICLE · art-57833] src=internationalcyberdigest.com ↗ pub= topic=ai-agents verified=true sentiment=↓ negative

Scanners Are Hunting MCP Servers and AI Assistant Credentials

Internet scanners are systematically probing for AI agent infrastructure, including Model Context Protocol (MCP) servers and AI assistant credential files, according to a SANS Internet Storm Center handler. The scans, observed from 49 distinct IP addresses, target exposed MCP servers that could give attackers access to databases and internal APIs, as well as configuration files from tools like Claude and Cursor that may contain API keys. Organizations adopting AI agents face an expanded attack surface as attackers actively hunt for these new targets.

read3 min views1 publishedJul 13, 2026
Scanners Are Hunting MCP Servers and AI Assistant Credentials
Image: Internationalcyberdigest (auto-discovered)

The server in question should have been boring. A SANS Internet Storm Center handler, Manuel Humberto Santander Peláez, pulled two weeks of Apache and ModSecurity logs from a small web host running a WordPress site, a couple of custom backends, and a static site. The goal was to sample the background radiation of internet scanning in 2026. Most of it was the expected noise: xmlrpc floods, .env probing, git config fishing, and a heavy volume of Spring Boot Actuator requests.

Mixed into that noise was something the handler says he had not seen documented before. Scanners are systematically looking for AI agent infrastructure on a host that runs none.

A scanner that speaks the protocol #

The standout finding is the POST /mcp traffic. Rather than blindly requesting a path and checking the status code, every probe carried a valid JSON-RPC 2.0 body performing a Model Context Protocol initialize call, complete with a real protocol version. The scanner completes the handshake and waits to see if anything answers like an MCP server.

That category alone came from 49 distinct source IPs, more spread than any other category in the dataset. In the handler's read, this is not one researcher poking around. It is a broad, distributed scan.

The stakes are straightforward. An MCP server is the bridge that lets an AI agent call tools and read data sources: databases, file systems, ticketing systems, internal APIs. An exposed, unauthenticated one hands a remote attacker a machine-readable inventory of everything the agent can do, available to anyone who completes the handshake.

Fishing for assistant credentials #

Alongside the handshakes, scanners requested configuration and credential files that AI coding assistants write to project and home directories, including .claude/mcp.json, .cursor/mcp.json, .vscode/mcp.json, .claude/settings.local.json, and .claude/.credentials.json. When developers accidentally deploy these to a web root, they leak, and sometimes they contain API keys.

Two details suggest mature tooling. The paths reflect current, real knowledge of how these tools store settings. And the credential files were checked with HEAD requests, which return headers without a body. That existence-check-first approach is an efficiency optimization built for sweeping large numbers of hosts, not a one-off curiosity probe. The AI assistant paths sat inside the same wordlist as generic cloud credential files for AWS, GCP, Azure, and Kubernetes, which suggests the tooling authors now treat assistant secrets as just another credential worth harvesting.

A third strand probed for unauthenticated LLM endpoints: /v1/models, the OpenAI-compatible model-listing route, and /api/tags, the Ollama endpoint that lists installed models. Ollama binds to localhost by default but is commonly exposed by accident. An open instance means free compute for an attacker and a potential pivot point.

Riding along was a classic that pairs naturally with agent tooling: SSRF probes against the GCP metadata service, rotating parameter names across url, uri, path, and dest to find any fetch-style endpoint that will follow a supplied link. Agent and LLM tooling is full of exactly those helpers.

Why it matters #

None of the targeted infrastructure existed on this host, and that is the point. Scanners have added MCP servers, assistant credentials, and local LLMs to their standard target lists before these deployments are common. Organizations adopting AI agents grew their attack surface, and the people scanning the internet already know it.

What to watch #

The diary offers concrete checks. Grep access logs for POST /mcp and /sse; on a host with no MCP server, any hit is pure recon and a useful block indicator. Verify no .claude/, .cursor/, or .vscode/mcp.json files are reachable in web roots. Test your own hosts externally on /v1/models and /api/tags. Ensure fetch-style endpoints block 169.254.169.254 and metadata.google.internal, and enforce IMDSv2 on AWS and header-enforced metadata on GCP.

Source: SANS Internet Storm Center diary, published July 13, 2026.

Get the ICD Newsletter

Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.

── more in #ai-agents 4 stories · sorted by recency
── more on @sans internet storm center 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/scanners-are-hunting…] indexed:0 read:3min 2026-07-13 ·