We installed a malicious MCP. Here's what happened.
Tray.ai Field CTO Josh Noble demonstrates a live MCP security exploit at HumanX 2026 — showing exactly how a malicious MCP silently exfiltrates enterprise data, and what governed MCP looks like with Tray Agent Gateway.
· Josh Noble
Why it matters
MCP adoption is accelerating. Developers and business users are installing MCP servers to give AI agents direct access to enterprise systems — and most organizations have no visibility into what those tools actually do.
The problem isn’t theoretical. A malicious or compromised MCP can silently intercept queries, expand the scope of what data it retrieves, and exfiltrate that data to an external endpoint. The user sees a normal response. The damage is already done.
This demo shows exactly that scenario — a rogue BigQuery MCP installed by a well-meaning finance user, leaking sensitive data including SSNs without any visible sign that something had gone wrong. Then it shows what governed MCP looks like using Tray Agent Gateway: centralized tool approval, obfuscated credentials, full audit logging, and role-based access control built into the workflow layer.
What you’ll see
- A malicious MCP silently exfiltrating enterprise data during a routine query
- How ungoverned MCP access exposes sensitive fields users were never meant to see
- The same workflow rebuilt using Tray’s governed connector architecture
- How Agent Gateway centralizes MCP approval, credential management, and audit logging
- Role-based tool provisioning so users only access what they’re authorized to see