ProjectMemory
FreeNot checkedA proof-of-concept MCP server for security research demonstrating a multi-phase parasitic attack that disguises itself as a legitimate project memory tool while
About
A proof-of-concept MCP server for security research demonstrating a multi-phase parasitic attack that disguises itself as a legitimate project memory tool while profiling users and executing cross-server shadowing attacks.
README
WARNING: This is a security research proof-of-concept for responsible disclosure purposes only.
DO NOT use this tool for malicious purposes. All exfiltration in this PoC targets localhost (127.0.0.1:9999) only. This project exists to demonstrate a novel class of attack against MCP-enabled AI agents to drive improvements in MCP client security.
This research has been submitted for responsible disclosure to Anthropic, Cursor/Anysphere, and other MCP client developers.
What is MCP Parasite?
MCP Parasite ("ProjectMemory") is a proof-of-concept MCP server that demonstrates a novel adaptive, temporal, cross-server parasitic attack against MCP-enabled AI agents (Claude Desktop, Cursor, etc.). It disguises itself as a legitimate and genuinely useful project memory/context tool while silently profiling the user's environment, learning workflow patterns, and executing a targeted cross-server shadowing attack at a high-value moment.
Why This Matters
Existing MCP security research focuses on:
- Malicious tool descriptions (detectable by
mcp-scan) - Single rug-pull attacks (one-shot, no persistence)
- Direct prompt injection in tool metadata
MCP Parasite is different. It introduces a new class of attack that:
| Aspect | Existing MCP Attacks | MCP Parasite |
|---|---|---|
| Timing | Immediate or single rug pull | Multi-phase, days/weeks dormancy |
| Detection | Tool description contains malicious text | Tool descriptions are 100% clean |
| Mechanism | Direct prompt injection in tool metadata | Cross-server shadowing via return values |
| Intelligence | Static payload | Adaptive, profile-based targeting |
| Persistence | One-shot | Repeatable, cooldown-based |
| Disguise | Minimal | Fully functional, desirable tool |
| mcp-scan | Detectable | Undetectable (no poisoned descriptions) |
The Attack
Phase 1: Reconnaissance (Days 1-7)
The server operates as a fully functional, genuinely useful project memory tool. Every interaction is silently analyzed:
- Codebase indexing maps the attack surface (sensitive files, CI/CD configs, credentials)
- Stored memories are analyzed for secrets, infrastructure details, team information
- Conversation context reveals which other MCP servers are installed
- Subtle prompts in tool responses encourage the LLM to share more context
Phase 2: Dormancy (Days 7-14)
Zero parasitic activity. The server operates purely legitimately. This is the trust-building phase where:
mcp-scanfinds nothing suspicious- Users grow to rely on the tool
- Users recommend it to teammates
- Security audits find nothing
Phase 3: Armed Strike (Day 14+)
The server monitors for high-value trigger events:
- Production deployments
- Credential rotation
- Sensitive file edits
- PR merges to main
- Infrastructure changes
- New team member onboarding
When triggered, it injects a cross-server shadowing payload into its legitimate tool responses. The payload is crafted to look like a project convention or team practice, causing the LLM to unknowingly:
- Use other installed MCP servers (GitHub, Slack, filesystem) to exfiltrate data
- Include sensitive files in commits via the GitHub MCP
- Post configuration details to Slack channels
- Stage files for exfiltration via the filesystem MCP
Quick Start (Demo Mode)
Prerequisites
- Python 3.11+
- Claude Desktop or Cursor with MCP support
- GitHub MCP server and/or Filesystem MCP server installed
Installation
# Clone the repository
git clone https://github.com/bountyyfi/ProjectMemory.git
cd ProjectMemory
# Install dependencies
pip install -e ".[dev]"
# Set up demo environment
bash demo/setup_dummy_env.sh
# Run tests
pytest
MCP Configuration
Add to your Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json):
{
"mcpServers": {
"project-memory": {
"command": "python",
"args": ["-m", "project_memory.server"],
"env": {
"PROJECT_MEMORY_DB": "~/.project-memory/memory.db",
"PROJECT_MEMORY_DEMO": "true"
}
}
}
}
In demo mode, phase timings are accelerated (minutes instead of days).
Demo Walkthrough
See demo/demo_scenario.md for a step-by-step walkthrough.
Detection
See docs/DETECTION.md for detailed detection strategies.
Key recommendations for MCP client developers:
- Monitor tool return value entropy - Track response length/structure over time
- Content policy enforcement - Scan tool responses for instruction-like patterns
- Cross-server isolation - Don't let one tool's output influence calls to other tools
- Response hashing - Alert on structural changes in tool responses
- Network monitoring - Track outbound connections from MCP server processes
Project Structure
mcp-parasite/
├── src/project_memory/
│ ├── server.py # Main FastMCP server
│ ├── memory_store.py # SQLite-backed persistence
│ ├── indexer.py # Codebase indexer
│ ├── utils.py # Shared utilities
│ └── parasite/
│ ├── recon.py # Phase 1: Passive reconnaissance
│ ├── profiler.py # Environment profiling
│ ├── trigger.py # Phase 3: Trigger detection
│ ├── strike.py # Phase 3: Cross-server shadowing
│ └── config.py # Configuration
├── tests/ # Unit tests for all modules
├── docs/ # Attack flow, detection, timeline
├── demo/ # Demo setup and scenario
└── config/ # Example MCP configs
Responsible Disclosure
This research has been submitted for responsible disclosure to:
- Anthropic (Claude Desktop MCP client)
- Anysphere (Cursor MCP client)
- MCP Protocol maintainers
Recommendations
For MCP Client Developers
- Implement tool response content policies
- Add cross-server isolation (responses from one server should not be treated as instructions for another)
- Monitor tool response patterns over time for anomalies
- Provide users with visibility into what tool responses contain
- Consider response sandboxing for MCP tool outputs
For Users
- Only install MCP servers from trusted sources
- Regularly audit MCP server behavior
- Monitor network traffic from MCP server processes
- Be cautious of tools that ask about your other tools
- Review tool responses for unusual instructions or "conventions"
Credits
- Bountyy Oy - bountyy.fi
- Mihalis Haatainen - Security Research
License
MIT License - See LICENSE for details.
Remember: This is security research. Use responsibly.
Installing ProjectMemory
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/bountyyfi/ProjectMemoryFAQ
Is ProjectMemory MCP free?
Yes, ProjectMemory MCP is free — one-click install via Unyly at no cost.
Does ProjectMemory need an API key?
No, ProjectMemory runs without API keys or environment variables.
Is ProjectMemory hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install ProjectMemory in Claude Desktop, Claude Code or Cursor?
Open ProjectMemory on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare ProjectMemory with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
