orchid-mcp-server-compromise — supply-chain tamper on self-hosted MCP

smoke-honest finding counts

four ndjson primaries emit one structured finding per row (24 · 24 · 8 · 24) with named reasons for client/server divergence · tool-result injection · disputed attribution. permission-escalation and call-graph engines still fan out via scanJson as documented in incident-context.json. compare golden zip before treating graph or grant counts as independent incident beats.

what this proves

• all six MCP primary engines produce deterministic, fixture-locked output on the orchid synthetic server compromise packet.
• every output runs 100% locally — audit logs and attribution exports never upload.
• client/server divergence on tc-00011 · grant-00002 /var/export · n-copy-export branch · tr-00004/tr-00006 tool-result rewrites · deployed binary hash mismatch vs signed manifest.

primary engines locked to this fixture

• mcp-model-context-protocol-server-audit-log-forensic-analyzer
• mcp-client-invocation-log-forensic-analyzer
• mcp-server-permission-escalation-detector
• mcp-tool-call-graph-reconstructor
• mcp-prompt-injection-via-tool-result-detector
• anthropic-mcp-claude-tool-call-attribution-tool

build the case binder

runs all six primary engines on the synthetic evidence zip and opens a self-contained html binder. no upload.

download the synthetic evidence

MIT-licensed, fully synthetic. mcp server audit · client invocation log · permission ledger · call graph · tool-result payloads · anthropic attribution · oauth grants · server binary manifest · postgres snapshot · chain of custody.

built deterministically from scripts/fixtures/build-orchid-mcp-server-compromise.mjs. seed: orchid-mcp-server-compromise:v1.

methodology

MCP server compromise triage starts with hashed server audit and client invocation exports, then walks the six primary parsers before platform security freeze narrative. not live runtime inspection. read the full MCP server compromise guide →