Simon Willison coined a new term called the lethal trifecta. As someone that uses AI every day and has been experimenting with MCP Servers in the last few months, I was surprised at the new attack vectors that MCP Servers unlock.
The lethal trifecta is to quote Simon:
- Access to your private data — one of the most common purposes of tools in the first place!
- Exposure to untrusted content — any mechanism by which text (or images) controlled by a malicious attacker could become available to your LLM
- The ability to externally communicate in a way that could be used to steal your data (I often call this “exfiltration” but I’m not confident that term is widely understood.)
Github’s MCP server exploit from May 2025 is an example of this.