MCP Security Risk: Hardcoded Credentials in AI Tool Configurations

Key Takeaways

• 48% of MCP servers recommend insecure credential storage methods
• Hardcoded credentials in MCP configs are prime targets for supply chain attacks
• Use input variables or vault-based injection to secure your configurations
• Security teams need visibility into MCP deployments across their organization

MCP (Model Context Protocol) has rapidly become the connective tissue of modern AI development. From Claude Code to Cursor and VS Code with Copilot, developers use MCP servers to give their AI assistants access to databases, cloud services, and APIs.

But there's a security problem lurking in those configuration files.

The Common MCP Configuration Mistake

If you've set up an MCP server, your configuration probably looks something like this:

1{
2  "servers": {
3    "github": {
4      "type": "http",
5      "url": "https://api.githubcopilot.com/mcp/",
6      "headers": {
7        "Authorization": "Bearer ghp_xxxxxxxxxxxxxxxxxxxx"
8      }
9    }
10  }
11}

Or maybe this:

1{
2  "mcpServers": {
3    "postgres": {
4      "command": "npx",
5      "args": ["@modelcontextprotocol/server-postgres"],
6      "env": {
7        "DATABASE_URL": "postgres://admin:P@ssw0rd123@prod-db.company.com:5432/main"
8      }
9    }
10  }
11}

These credentials (GitHub Personal Access Tokens, database passwords, and API keys) are sitting in plaintext JSON files on developer machines across your organization right now.

Why MCP Credential Security Matters in 2025

48% of MCP servers recommend insecure storage methods that store credentials in plaintext .env or JSON files. Many MCP servers don't even support environment variable expansion, forcing developers to hardcode secrets directly into configuration files.

The timing couldn't be worse. 2025 has seen an unprecedented wave of supply chain attacks designed to harvest credentials from developer workstations. The Shai-Hulud campaign compromised over 3,000 npm packages and harvested credentials from AWS, Azure, GCP, GitHub, and npm, all by targeting the exact files where developers store their secrets.

These attacks aren't theoretical. They actively search for:

• AWS access keys and secret keys
• GitHub Personal Access Tokens
• Database connection strings
• OAuth tokens
• API keys for cloud services

MCP configuration files have become the new .env file, a convenient aggregation point for every credential an attacker could want. For a deeper dive into this problem, see our guide on why .env files are a security risk.

How Attackers Exploit MCP Credentials

Here's how an attacker turns your MCP config into a breach:

1. Initial access: A malicious npm package, compromised dependency, or phishing email gets code running on a developer's machine. The recent Nx supply chain attack demonstrated exactly this pattern

2. Credential harvesting: The malware scans for configuration files in predictable locations:

   • ~/.claude.json
   • ~/.cursor/mcp.json
   • ~/.codex/config.toml
   • ~/.gemini/settings.json
   • ~/Library/Application Support/Claude/claude_desktop_config.json
   • .vscode/mcp.json
   • .mcp.json in project directories

3. Exfiltration: Credentials are sent to attacker infrastructure, sometimes even committed to public GitHub repositories

4. Lateral movement: With a GitHub PAT, attackers access private repositories, inject malicious code, and propagate to other developers. With database credentials, they exfiltrate customer data. With cloud credentials, they spin up crypto miners, or worse.

Secure MCP Configuration: Using Input Variables

Modern MCP clients support a much safer pattern. Instead of hardcoding credentials, use input variables that prompt for secrets at runtime and store them securely:

1{
2  "inputs": [
3    {
4      "type": "promptString",
5      "id": "github_mcp_pat",
6      "description": "GitHub Personal Access Token",
7      "password": true
8    }
9  ],
10  "servers": {
11    "github": {
12      "type": "http",
13      "url": "https://api.githubcopilot.com/mcp/",
14      "headers": {
15        "Authorization": "Bearer ${input:github_mcp_pat}"
16      }
17    }
18  }
19}

With this configuration:

• The credential is never written to disk in plaintext
• VS Code stores it in the system's secure credential storage (Keychain on macOS, Credential Manager on Windows)
• The secret is prompted once and remembered securely for future sessions
• The configuration file can be safely committed to version control

Vault-Based Secret Injection for MCP

If your MCP client doesn't support secure input variables, or you need a more robust enterprise solution, consider vault-based secret injection. 1Password has documented an approach using their CLI to inject secrets at runtime.

1. Store secrets in 1Password and reference them in your .env:

1GITHUB_TOKEN=op://AI/GitHub Access Token/token
2OPENAI_API_KEY=op://AI/OpenAI Key/key

These are pointers to encrypted secrets, not the secrets themselves.

2. Keep your MCP config clean:

1{
2  "servers": {
3    "github": {
4      "type": "http",
5      "url": "https://api.github.com/mcp/",
6      "headers": {
7        "Authorization": "Bearer ${GITHUB_TOKEN}"
8      }
9    }
10  }
11}

3. Launch your MCP client with op run:

1op run --env-file=.env -- your-mcp-client

The 1Password CLI resolves the secret references, decrypts them in memory, and injects them as environment variables only for that process. When the process exits, the secrets disappear.

This approach provides centralized secret management, audit logging, and no plaintext credentials anywhere on disk.

How to Secure MCP Configurations Across Your Organization

Individual developers can adopt secure patterns, but security teams face a visibility challenge. Most don't know:

• Which MCP servers are deployed across their organization
• Which configurations contain hardcoded credentials
• Which developers are following secure practices vs. taking shortcuts

At Bastion, we've addressed this with MCP Inventory, a feature in our endpoint security solution that automatically discovers MCP configurations and alerts you to security risks:

1. Discovers MCP configurations across all managed macOS, Linux, and Windows devices
2. Analyzes each configuration for hardcoded secrets, overly permissive scopes, and other risks
3. Alerts your security team in real-time when risky configurations are detected
4. Reports on MCP usage patterns for compliance and audit purposes

This gives security teams visibility without requiring developers to self-report or change their workflows.

MCP Security Checklist: Quick Wins

For developers:

• Audit your MCP configuration files for hardcoded secrets
• Switch to input variable syntax where supported
• Use short-lived tokens and rotate them regularly
• Never commit MCP configurations containing credentials to version control

For security teams:

• Add MCP config locations to your secret scanning tools
• Brief developers on the risks and secure alternatives
• Monitor for hardcoded secrets in developer environments

For platform teams:

• Evaluate MCP servers that support environment variables or OAuth
• Consider centralized MCP server deployments that handle credentials server-side
• Implement wrappers that inject secrets from vault systems

Bastion helps startups and SMBs achieve SOC 2 and ISO 27001 compliance. Our MCP Inventory feature gives security teams visibility into AI toolchain risks across their organization. Request a demo →