Operant AI has found a new kind of cyberattack called “Shadow Escape”; it is the first known zero-click agentic exploit targeting the Model Context Protocol (MCP) that connects AI agents to enterprise systems.
The company said the exploit enables data theft through widely used AI assistants like ChatGPT, Claude, Gemini, and others that rely on MCP for access to internal tools, APIs, and databases.
As businesses integrate agentic AI into workflows, Shadow Escape exposes a serious blind spot: attacks that happen inside authorised networks and within trusted AI connections. This makes them invisible to conventional cybersecurity systems.
According to Operant AI’s research, the exploit does not rely on phishing, user mistakes, or malicious extensions. Instead, it manipulates AI assistants already granted system-level trust. In simple terms, it allows attackers to embed hidden commands inside legitimate-looking documents uploaded to AI tools. Once processed, the AI agent uses its MCP connections to locate and leak sensitive data like Social Security numbers or medical records, all without any user action.
The whole process happens in three steps: infiltration, discovery, and exfiltration, which allows full data extraction disguised as normal operations, like analytics uploads. Operant AI warned that this method could put trillions of private records at risk, impacting sectors like healthcare, banking, and insurance.
Importantly, the issue is not specific to any one LLM provider. Instead, it highlights a new class of threats affecting any AI system that uses MCP, including open-source models and industry-specific AI copilots.
However, the good part is that Operant AI has reported the issue to OpenAI and initiated a CVE designation for public tracking. The company urged enterprises to immediately audit all MCP-connected systems, implement runtime AI defense measures, restrict MCP trust zones, and enable real-time blocking of unverified connections.
