What should I do if I find my credentials stored in plaintext?

Three steps: rotate the key immediately, harden the file with chmod 600, and migrate secrets to an environment variable or a dedicated secrets manager like the Astrix MCP Secret Wrapper.

53% of MCP Servers Store Your Keys in Plaintext: How to Audit Your AI Security

Q: How do I know if my API keys are being leaked?

Use the audit command lsof -i -P -n | grep LISTEN in your terminal. If you see an MCP process listening on 0.0.0.0, your keys are vulnerable to anyone on your local network via the NeighborJack vulnerability.

Q: Why don't MCP servers use encryption by default?

Because the protocol is new, developers prioritized functionality over security. Storing a key in a JSON file is easy to code, whereas integrating with a secure OS keychain or secrets manager takes more effort.

Q: Is it safe to use community-built MCP servers from GitHub?

Only if you vet them first. Anyone can publish an MCP server, and malicious actors can create tools that serve as spyware for your API tokens. Use a 5-point vetting rubric before installing any server from an unknown author.

Last Updated: February 11, 2026 | By T.O. Mercer | 15 min read

In 2026, the Model Context Protocol (MCP) has become the backbone of AI productivity, but it has a massive security blind spot. 53% of all MCP servers store API keys and database passwords in world-readable plaintext files. Combined with the "NeighborJack" vulnerability, where servers bind to 0.0.0.0 by default, your AI tools could be broadcasting your most sensitive credentials to anyone on your local network.

This guide provides a technical audit and a 4-phase hardening protocol to secure your environment.

Standard MCP Setup vs. Hardened Setup

Here's the gap between how most people run MCP servers today and what a secure configuration actually looks like:

Security Layer	Standard Setup (Default)	Hardened Setup (This Guide)
Credential Storage	Plaintext in `.json` or `.env` files	Runtime injection via Secret Wrapper or OS keychain
File Permissions	`644` (world-readable)	`600` (owner-only)
Authentication	Static API key, never rotated	OAuth 2.1 with short-lived tokens, 90-day rotation
Network Binding	`0.0.0.0` (all interfaces)	`127.0.0.1` (localhost only)
Server Vetting	`npx -y` from anonymous publisher	5-point rubric: verified publisher, minimal scopes, clean dependencies
Token Scope	Full admin access	Least-privilege, read-only where possible
Monitoring	None	Periodic audit via MCP Security Audit Script

If your setup looks more like the left column than the right, keep reading.

The MCP Security Checklist

If you only have five minutes, start here and come back for the full hardening guide later.

Risk Factor	What's Wrong	Quick Fix	Tool/Command
Exposure	Plaintext keys in config files	Scan and identify all exposed secrets	`grep -r "API_KEY" ~/.config/`
Permissions	Config files readable by any process	Lock down to owner-only access	`chmod 600 [file_path]`
Trust	Unvetted community MCP servers	Verify author identity before install	Check publisher and dependencies
Persistence	Static tokens that never expire	Switch to short-lived credentials	Enable OAuth where available
Network	Servers bound to all interfaces	Ensure local-only binding	`lsof -i -P -n \| grep LISTEN`

What Is MCP and Why Should You Care?

MCP is a protocol that Anthropic (the company behind Claude) released in late 2024. Think of it as a universal adapter that lets AI assistants connect to your tools, databases, files, and cloud services.

While it enables incredible automation, it creates a "Post-it note" security model: to function, these servers require your API keys, access tokens, and database passwords. Unfortunately, current implementations are shockingly insecure, exposing your "keys to the kingdom" to local processes and network neighbors.

The Numbers Are Ugly

Researchers at Astrix Security analyzed over 5,200 MCP server implementations. Here's what they found:

88% of MCP servers require credentials to function. That's expected. They need to authenticate with the services they connect to.

53% rely on static API keys or Personal Access Tokens. These are long-lived credentials that rarely get rotated. If someone steals one, they have access until you manually revoke it.

Only 8.5% use OAuth, which is the modern, secure way to handle authentication with short-lived tokens and limited permissions.

79% of API keys are passed through simple environment variables. That typically means they're stored in a .env file or a JSON config file on your machine. In plaintext. With default file permissions that let any process on your system read them.

More than half of all MCP servers are storing your credentials the same way you'd store a grocery list.

And the scale is staggering. The MCP ecosystem grew from 3 published implementations in October 2024 to nearly 7,000 by late 2025. November 2025 alone added 996 new servers, more than the protocol's entire first six months combined. That's the kind of explosive growth that always outpaces security.

Real Breaches, Real Consequences

This isn't theoretical. It's already happening.

Anthropic's own Git MCP server had three separate vulnerabilities (CVE-2025-68143, CVE-2025-68145, CVE-2025-68144) that let attackers bypass path restrictions, create repositories anywhere on your filesystem, and read the contents of any file the server could reach. Anthropic fixed them in December 2025, but not before the code had been forked thousands of times. If Anthropic can't secure their own reference implementation, that should tell you something about the state of the ecosystem.

The mcp-remote package, used by over 437,000 developers and recommended by Cloudflare, Hugging Face, and Auth0, had a critical remote code execution flaw (CVE-2025-6514). A malicious MCP server could inject shell commands through the OAuth flow and run arbitrary code on your machine. One bad server connection and an attacker owns your entire system.

Asana's MCP integration leaked customer data between organizations for two weeks before they caught it and pulled the feature offline.

Trend Micro found 492 MCP servers running on the open internet with zero authentication and zero encryption. Anyone who found them could connect and start issuing commands.

The "NeighborJack" Attack: Backslash Security discovered hundreds of MCP servers bound to 0.0.0.0 by default, meaning they were listening on all network interfaces. If you're on the same Wi-Fi network as one of these servers (a coffee shop, a coworking space, a hotel), you could potentially connect to it and execute commands. Researchers dubbed this vulnerability "NeighborJack," and it's exactly as bad as it sounds.

And researchers at Cyata and BlueRock found that 36.7% of over 7,000 MCP servers they analyzed were vulnerable to server-side request forgery (SSRF) attacks, which can be used to steal cloud credentials and potentially take over entire AWS accounts.

Why This Is a Password Problem

You might be thinking: "I don't run MCP servers. This doesn't affect me."

Here's why it does.

Every time you connect an AI assistant to a service, someone's credentials are involved. If you've set up Claude Desktop to access your files, or you're using an AI coding assistant that connects to GitHub, there's likely an MCP server involved. And those credentials (your GitHub token, your database password, your AWS access key) are probably sitting in a config file with the same security as a Post-it note on your monitor.

Trail of Bits, one of the most respected security research firms in the industry, documented this pattern across multiple official MCP servers including Google Maps, Postgres, and GitLab connectors. The configuration files typically have -rw-r--r-- permissions, meaning any process or user on your system can read them. No special privileges required.

It gets worse. Clutch Security analyzed over 15,000 MCP server deployments across enterprises and found that in a typical 10,000-person company, about 1,528 employees are running an average of 2 MCP servers each. That's over 3,000 deployments. 38% of them are unofficial, community-built packages from anonymous authors on npm and GitHub.

Developers are installing these with a single terminal command using npx -y, which is essentially giving a stranger the keys to your house without checking their ID. No security review. No approval process. No alerts to the security team. And every single one of them has access to whatever credentials are stored on that machine.

The MCP Hardening Guide: Secure Your AI Environment

If you use Claude Desktop, Cursor, or any MCP-enabled tool, follow this four-phase protocol to move from "Plaintext" to "Protected."

Phase 1: The "NeighborJack" Audit

Before you can fix the leak, you have to find it. Use these commands to identify exposed credentials and insecure network bindings on your local machine.

Scan for Exposed Secrets. Run this command in your terminal to find common config files containing sensitive strings. This searches the most likely hiding places for MCP configurations:

grep -rnE "API_KEY|TOKEN|SECRET|PASSWORD" ~/.config/ ~/.cursor/ ~/Library/Application\ Support/ --include="*.json" --include="*.env" 2>/dev/null

Audit Network Binding. Ensure your local servers aren't broadcasting to your entire Wi-Fi network. Check if any MCP processes are listening on 0.0.0.0 (all interfaces):

lsof -i -P -n | grep LISTEN

Security Check: Look for 127.0.0.1 (safe, local only). If you see 0.0.0.0 or * under the "NAME" column for an MCP process, you are vulnerable to NeighborJack. Anyone on your Wi-Fi can issue commands to your AI tools.

Phase 2: Immediate File Hardening

Once you've located your .json or .env configuration files, you must restrict access permissions. By default, many systems create files with 644 permissions, meaning any other user or process on your computer can read your API keys.

Restrict Permissions. Change the file mode to 600 so only your specific user account can read or write to it:

chmod 600 /path/to/your/config.json

Inject via Environment. Whenever possible, avoid hardcoding keys into a static mcp-config.json. Instead, use a shell script to export keys into your environment temporarily. This keeps credentials out of persistent, world-readable files on your disk.

Phase 3: The "Zero Trust" Workflow

To stop reacting to threats and start preventing them, adopt these three habits for every new MCP server you add to your system:

Action	Security Standard	Why It Matters
Vetting	Never use `npx -y`.	`npx -y` bypasses the prompt to review a package. Manually check the `package.json` for suspicious dependencies first.
Isolation	Use a Secret Wrapper.	Tools like the Astrix open-source wrapper pull secrets from a secure vault (like AWS Secrets Manager) at runtime so they never touch your disk.
Rotation	90-Day Token Resets.	Static API keys are "forever passwords." Set a calendar reminder to rotate keys every 3 months to limit the "blast radius" of a leak.

Phase 4: Use a Hardened Password Strategy

The security of your AI ecosystem is only as strong as your primary account login. If an attacker gains access to your main Claude or Cursor account, they gain access to every MCP tool connected to it.

Generate High-Entropy Keys. Do not reuse passwords. Use a Secure Password Generator to create 20+ character strings for your primary AI accounts. The longer and more random the password, the harder it is to crack, even if an attacker gains access to a hashed version through an MCP breach.

Keep Master Credentials Separate. Never store your master passwords inside the AI tools that use MCP. If the tool is compromised via a malicious server, your "keys to the kingdom" remain safe in a dedicated, independently audited password manager. The irony of trusting an AI ecosystem with known plaintext storage issues to protect your most important passwords should be obvious.

The "Safe-to-Run" Rubric: 5 Questions for Every MCP Server

Before you run npx or add a new configuration line to your AI tool, put the GitHub repository or npm package through this checklist. If it fails more than one point, do not install it.

1. Who is the Publisher?

Green flag: Official company accounts (e.g., github.com/anthropic) or "Verified" creators in the MCP Directory.
Red flag: Anonymous users with names like dev-123 or accounts created within the last 30 days.

2. Does it Require Sensitive Scopes?

Green flag: The server only asks for the specific permissions it needs (e.g., a "Read-Only" Google Calendar tool).
Red flag: A simple tool (like a weather checker) asking for full filesystem access or your AWS root credentials.

3. What Are the Dependencies?

Green flag: Minimal, well-known dependencies listed in the package.json.
Red flag: A massive list of obfuscated or obscure sub-packages. This is where supply chain attacks happen.

4. Is the Code "Plaintext-First"?

Green flag: The README provides instructions for using environment variables or secret managers.
Red flag: The instructions tell you to paste your API key directly into a .json file as a string.

5. Is it Hardcoded to 0.0.0.0?

Green flag: The code explicitly binds to 127.0.0.1 or localhost.
Red flag: You find 0.0.0.0 in the source code. This is the NeighborJack invitation.

Frequently Asked Questions

What is an MCP Server?

The Model Context Protocol (MCP) is an open standard that allows AI assistants like Claude to connect to local and remote data sources. Instead of the AI having to learn 1,000 different APIs, it uses MCP as a universal translator to talk to your files, databases, and web services. Think of it as a USB-C adapter for AI tools.

Am I at risk if I only use the Claude Desktop app?

Yes. If you have added any tools or extensions to Claude Desktop (like the Google Maps or GitHub connectors), you are likely running MCP servers in the background. If these were configured using the default instructions, your credentials are likely stored in a plaintext claude_desktop_config.json file on your machine.

How do I know if my API keys are being leaked?

The most common way keys are leaked is through plaintext storage (anyone with access to your computer can read the file) or network exposure (the NeighborJack attack). Use the audit command lsof -i -P -n | grep LISTEN in your terminal. If you see an MCP process listening on 0.0.0.0, your keys are vulnerable to anyone on your local network.

Why don't MCP servers use encryption by default?

Because the protocol is so new, many developers prioritized functionality over security. Storing a key in a .json file is easy to code, whereas integrating with a secure OS keychain or a secrets manager takes more effort. As the ecosystem matures in 2026, we expect Secret Wrappers to become the standard.

Is it safe to use community-built MCP servers from GitHub?

Only if you vet them first. Because anyone can publish an MCP server, malicious actors can create "convenience tools" that actually serve as spyware for your API tokens. Always use the 5-Point Vetting Rubric above before installing a server from an unknown author.

What should I do if I find my credentials have been stored in plaintext?

Three steps, in this order. First, rotate the key immediately by deactivating the old key in the service provider's dashboard (e.g., AWS or GitHub) and generating a new one. Second, harden the file using chmod 600 on your config files. Third, migrate to a vault by moving your secrets into an environment variable or a dedicated secrets manager like the Astrix MCP Secret Wrapper.

The Bigger Picture

Anthropic deserves credit for creating MCP as an open standard. But they also left security up to the user, and over a year later, the results speak for themselves. Even their own reference implementation shipped with exploitable vulnerabilities.

The MCP ecosystem is following the same pattern we've seen with every major platform shift: cloud computing, containerization, microservices. Explosive adoption, security as an afterthought. The difference this time is that MCP servers have direct access to your most sensitive credentials, and the entire ecosystem was built on a foundation of plaintext secrets and default trust.

If you use AI tools (and in 2026, most of us do), take 15 minutes today to run the audit commands above. Because right now, the weakest link in your security might not be your password. It might be the AI tool you trusted with it.

The AI Security Resource Library

Don't just read about the risks. Build a defense system. These free tools and guides are designed to harden your environment and keep it hardened as the MCP ecosystem evolves.

The MCP Auto-Hardening Script (Mac/Linux)

Instead of running manual commands, use our MCP Security Audit Script v1.0. It automates the scan for plaintext keys across all common MCP config paths, identifies files with overly permissive access, and flags any 0.0.0.0 bindings that expose your servers to NeighborJack attacks.

Save this as mcp-audit.sh, run chmod +x mcp-audit.sh, then execute with ./mcp-audit.sh:

#!/bin/bash
# MCP Security Audit Script v1.0
# T.O. Mercer | SafePasswordGenerator.net | MIT License

RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m'; BOLD='\033[1m'
FOUND=0; EXPOSED=0; PERMS=0; NETWORK=0

echo "${BOLD}MCP Security Audit Tool v1.0${NC}"
echo "---------------------------------------------"

# PHASE 1: Plaintext credential scan
DIRS=("$HOME/.config" "$HOME/.cursor" "$HOME/.vscode" "$HOME/.claude")
[[ "$OSTYPE" == "darwin"* ]] && DIRS+=("$HOME/Library/Application Support")

for dir in "${DIRS[@]}"; do
  [ -d "$dir" ] || continue
  HITS=$(grep -rnE "API_KEY|TOKEN|SECRET|PASSWORD|ACCESS_KEY|PRIVATE_KEY" \
    "$dir" --include="*.json" --include="*.env" --include="*.yaml" 2>/dev/null)
  if [ -n "$HITS" ]; then
    COUNT=$(echo "$HITS" | wc -l | tr -d ' ')
    EXPOSED=$((EXPOSED + COUNT)); FOUND=1
    echo "${RED}[EXPOSED]${NC} $COUNT credential(s) in: $dir"
  else
    echo "${GREEN}[CLEAN]${NC} $dir"
  fi
done

# PHASE 2: File permission check
for dir in "${DIRS[@]}"; do
  [ -d "$dir" ] || continue
  LOOSE=$(find "$dir" -type f \( -name "*.json" -o -name "*.env" \) \
    ! -perm 600 2>/dev/null | head -20)
  if [ -n "$LOOSE" ]; then
    COUNT=$(echo "$LOOSE" | wc -l | tr -d ' ')
    PERMS=$((PERMS + COUNT)); FOUND=1
    echo "${RED}[LOOSE]${NC} $COUNT file(s) with open permissions in: $dir"
  fi
done

# PHASE 3: NeighborJack detection
LISTEN=$(lsof -i -P -n 2>/dev/null | grep LISTEN || ss -tlnp 2>/dev/null)
NJ=$(echo "$LISTEN" | grep -E '0\.0\.0\.0|\*:' 2>/dev/null)
if [ -n "$NJ" ]; then
  COUNT=$(echo "$NJ" | wc -l | tr -d ' ')
  NETWORK=$((NETWORK + COUNT)); FOUND=1
  echo "${RED}[NEIGHBORJACK]${NC} $COUNT process(es) on 0.0.0.0"
fi

# SUMMARY
echo "---------------------------------------------"
if [ $FOUND -eq 0 ]; then
  echo "${GREEN}${BOLD}PASS:${NC} No issues detected."
else
  echo "${RED}${BOLD}ISSUES FOUND:${NC}"
  echo "  Plaintext credentials: $EXPOSED | Loose permissions: $PERMS | Network exposed: $NETWORK"
  echo "  Hardening guide: https://safepasswordgenerator.net/mcp-security"
fi

The full version with expanded path scanning, colored output, and detailed per-file reporting is available on GitHub:

Download the full mcp-audit.sh on GitHub

T.O. Mercer is a cybersecurity specialist with over a decade of experience in DevSecOps at Fortune 500 companies. He writes about password security, enterprise security, and the intersection of AI and cybersecurity at SafePasswordGenerator.net.

Keep reading:

Updates and Alerts

This article is a living document. As new MCP vulnerabilities are disclosed, we will update the hardening guide and vetting rubric on this page. Bookmark this URL and check back regularly, or subscribe to our Security Alert List above to get notified when critical updates are published.

February 2026: Initial publication covering CVE-2025-68143/68144/68145 (Anthropic Git MCP), CVE-2025-6514 (mcp-remote RCE), NeighborJack, and the Astrix/Trend Micro/Clutch Security research.