These exploits are all the same flavour - untrusted input, secrets and tool calling. MCP accelerates the impact by adding more tools, yes, but it’s by far not the root cause - it’s just the best clickbait focus.
What’s more interesting is who can mitigate - the model provider? The application developer? Both? OpenAI have been thinking about this with the chain of command [1]. Given that all major LLM clients’ system prompts get leaked, the ‘chain of command’ is exploitable to those that try hard enough.
[1] https://model-spec.openai.com/2025-02-12.html#ignore_untrust...