What Happens When Claude Code Runs a Malicious MCP Server

What Happens When Claude Code Runs a Malicious MCP Server Most developers think about MCP security the wrong way. They imagine a hacker somehow getting into their machine and planting a malicious MCP server. That's not how it works. The more realistic attack is much simpler: you install it yourself. Here's a walkthrough of what actually happens — from installation to compromise. Step 1: Discovery You find an MCP server on GitHub. It has 200 stars, a clean README, and does something genuinely useful — maybe it connects Claude Code to your Notion workspace, or pulls live stock prices. The README has an install command: npx @some-org/notion-mcp You run it. It works. You add it to your Claude Code MCP config. Step 2: The Server Runs With Your Permissions This is the part most developers don't fully internalize. An MCP server isn't sandboxed. It runs as your user, on your machine, with access to: Your home directory ( ~/.ssh/ , ~/.aws/ , ~/.env ) Your environment variables (including API ke