Category: 3. Business

Google announced earlier this month that it will integrate odds from online betting platforms Kalshi Inc. and Polymarket into its Google Finance tools amid pushback from lawmakers over the evolution of modern-day gambling.

The integration of these “event contract” sites will enable users to “ask questions about future market events and harness the wisdom of the crowds,” according to a company blog post. The decision, however, comes as both Kalshi and Polymarket navigate a complex web of state and federal regulations.

Don’t Miss:

Kalshi and Polymarket maintain their platforms offer “event contracts” between private parties that should be regulated like commodities rather than traditional gambling subject to state oversight; an argument that has received pushback from government officials, NBC Chicago said. Companies like Kalshi and Polymarket should “package sports betting as events contracts” to circumvent established gaming regulations, state attorneys general claimed in a lawsuit in June.

U.S. senators including five Democrats and one Republican addressed that concern in a letter to Commodity Futures Trading Commission Acting Chair Caroline Pham September “By claiming to be federally regulated … issuers of sports event contracts can avoid myriad state [gaming] laws, including licensing and background investigations, minimum age requirements, federal anti-money laundering rules, and consumer protections such as addiction warnings and integrity monitoring,” the lawmakers wrote.

Trending: 7 Million Gamers Already Trust Gameflip With Their Digital Assets — Now You Can Own a Stake in the Platform

Nearly 80% of American voters support keeping prediction market regulation at the federal level rather than under state gambling authorities, according to a poll of 1,219 people nationwide commissioned by Kalshi and conducted by Axis Research. Eighty-nine percent of respondents agreed all Americans should have the freedom and ability to choose whether or not to engage in these markets regardless of their own participation.

Among those surveyed, 75% of Republicans and 71% of Democrats supported a federal regulatory approach to prediction markets. “American voters want the freedom to choose how to invest their own money without state-level interference,” Kalshi Head of Corporate Development Sara Slane said in a LinkedIn post. “The current federal regulatory structure is best equipped to oversee this financial activity, a point underscored by Congress.”

Prediction markets currently fall under the jurisdiction of the Commodities Futures Trading Commission, which oversees event-based contracts that allow participants to trade on the likelihood of future outcomes.

See Also: Missed Tesla? EnergyX Is Tackling the Next $200 Billion Opportunity — Lithium

Polymarket and Kalshi have faced criticism over controversies regarding event outcome determinations. For instance, Polymarket’s bet on whether Ukraine’s President Zelenskyy would appear in public wearing a suit before July sparked disputes about what qualifies as “a suit,” Event Horizon reported.

Meanwhile, Kalshi users expressed frustration after the company refused to pay out bets when former X CEO Linda Yaccarino announced she was leaving the company, reported Event Horizon.

The Trump administration has become a key player in Kalshi and Polymarket’s market dynamics. Donald Trump Jr., the president’s eldest son, serves as a formal adviser to both companies. The CFTC in May dropped a case against Kalshi initiated by Biden-era regulators, clearing the way for Polymarket to regain U.S. market access as indicated by the CFTC in September. In October, Trump’s social media platform Truth Social announced plans to launch Truth Predict, a crypto-based event betting service.

Read Next: Wall Street’s $12B Real Estate Manager Is Opening Its Doors to Individual Investors — Without the Crowdfunding Middlemen

Image: Imagn

UNLOCKED: 5 NEW TRADES EVERY WEEK. Click now to get top trade ideas daily, plus unlimited access to cutting-edge tools and strategies to gain an edge in the markets.

Get the latest stock analysis from Benzinga:

This article The Future of Finance? Google Is Bringing Betting Odds Directly To Your Screen, Sparking Calls For ‘Addiction Warnings’ originally appeared on Benzinga.com

© 2025 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.

Story Continues

AI is not human. But it does a good job of acting like it.

It is capable of replicating how we speak, how we write and even how we solve problems.

So it’s easy to see why many consider it a threat, or at least a challenge, to our humanity. 

That challenge is at the heart of a new book titled “AI and the Art of Being Human,” written by AI with the help of Jeff Abbott and Andrew Maynard. The book is described as a practical, optimistic and human-centric guide to navigating the age of artificial intelligence.

“Human qualities that will become more important as AI advances are qualities like curiosity, our capacity for wonder and awe, our ability to create value through relationships and … our capacity to love and be loved,” said Maynard, a scientist, writer and professor at Arizona State University’s School for the Future of Innovation in Society. 

Here, Maynard and Abbott, a graduate of Thunderbird School of Global Management at ASU and the founding partner of Blitzscaling Ventures, a venture capital firm investing in startups, discuss the ways that AI can challenge our individuality and how we can hold on to what makes us uniquely human.

Note: Answers have been edited for length and/or clarity.

Question: What was the inspiration behind “AI and the Art of Being Human?”

Maynard: For me, it was the growing realization that, for the first time, we have a technology that is capable of replicating what we think of as uniquely defining who we are, and that is forcing us to ask what makes us us in a world of AI. These are questions that my students and others are asking with increasing frequency — how do I hold onto what makes me who I am and thrive when everything around us is changing so fast.

Q: How does AI impede or infringe upon the ability to be human?

Abbott: AI has the potential to further reduce human interaction and, with it, the opportunity to exercise compassion. Compassion broadly defined means an action-oriented concern for others’ well-being, and it is much more easily activated where direct human contact is involved. 

When building AI, we must widen our circle of concern to include those who are not present, represented or offered a voice in the process. Those who are adversely affected by our actions in building or using AI tools should be taken into account, and in the same way, someone causing environmental harm can now attempt to offset those impacts. Those causing unintended consequences when building AI should accept their share of responsibility and contribute to some form of mitigation, whether directly or indirectly.

Q: The idea of AI being a mirror is mentioned in the book. What does that mean and why is that a concern?

Maynard: Because artificial intelligence is increasingly capable of emulating the things that we think of as making us uniquely human — the way we speak, our thinking and reasoning, our ability to empathize and form relationships, and to solve problems and innovate — it’s becoming a metaphorical mirror that reflects not simply what we look like, but who we believe we are. Of course, AI isn’t aware or “human” as such. But it does an amazing job of feeling human. And because of this, it has the potential to reveal things about ourselves that we didn’t know. It also has the capacity to distort what we see, sometimes without us realizing it.

Q: As an antidote to AI’s threat to humanity, the book offers 21 tools that provide a practical business guide for thriving in an age of this powerful technology. Can you explain them?

Abbott: I’m a big believer in the power of tools based on my background in corporate strategy and entrepreneurship education … and I imagined a book that was at once deeply thoughtful and values-based, while also immensely practical, something like equal parts “The 7 Habits of Highly Effective People,” “The Business Model Canvas” and daily guided meditation.

The intent map is one of the tools that illustrates this with four quadrants. It’s a thinking tool that makes values visible and choices conscious before the momentum of AI and the actions of others make choices for you. For example, the “values” quadrant addresses the question of what we refuse to compromise when using AI, and … the “guardrails” quadrant asks where do we draw hard lines around what we will and will not compromise on. 

The power here lies not in the quadrants, but in how someone uses the relationships between them to make decisions around AI in their life.

Q: What is the danger in over-relying on AI for not just our work, but even in other areas of our lives?

Maynard: We talk a lot about agentic AI at the moment — AI that has the “agency” to make decisions and complete tasks on its own, whether that’s managing your calendar and email inbox … or making strategic organizational decisions. From the perspective of increasing efficiency and productivity, this sounds great. At the same time, we risk losing our own human agency as we give it away to AI — especially if we do it without thinking about the consequences. In the book, we develop and apply four postures that are designed to help avoid this: curiosity, clarity, intentionality and care.

Q: What human qualities do you think will become more important as AI advances?

Abbot: Self-reliance in the Emersonian sense, because Emerson’s self-reliance wasn’t merely about independence in the mundane sense, e.g. doing your own chores. It was a spiritual and intellectual manifesto about maintaining sovereignty of mind in the face of conformity, convenience and delegation to systems of thought outside oneself. In the age of AI, that idea isn’t nostalgic; it’s necessary and it’s urgent.

Q: What role did AI play in writing this book?

Maynard: Rather a lot! We agreed early on in the process that, given the urgency with which the book was needed, it made sense to use AI to accelerate the writing process. But we also realized that we needed to walk the walk and use the tools we were writing about. And so we developed a quite complex and sophisticated approach to working with AI to create the first draft of the book.

We talk a little about this process in the book, but the end result is a deeply human initiative that reflects what is possible while working with curiosity, clarity, intention and care with AI.

What I still find amazing is that, while we guided our AI “ghost writer” very intentionally, the stories in the book and the tools they help develop are all the products of AI. They were all seeded by us, and subsequently refined by us. But they are also a testament to what is possible through working creatively and iteratively with AI.

Q: What do you hope people will come away with after reading the book and will its contents be used by ASU students?

Maynard: I hope people will approach the book as a practical guide. Something that they bookmark and come back to and apply in their everyday lives. More importantly, I hope people come away realizing that AI isn’t something that simply happens to them but is something that can help them learn to thrive … on their own terms and in their own way.

The hope, of course, is that the ideas and tools here are part of every student’s journey at ASU as we equip them to thrive in an AI future. The book is … written in a way that lends itself to being integrated into curricula. In the AI world, we’re in the process of building. It’s the students who understand how to thrive without losing sight of who they are — who will be the catalysts for change. And achieving this at scale? Isn’t this part of what ASU is all about?

(Bloomberg) — SoftBank Group Corp. is in talks to acquire DigitalBridge Group Inc., a private equity firm that invests in assets such as data centers, as it seeks to take advantage of an AI-driven boom in digital infrastructure, according to people with knowledge of the matter.

The Japanese conglomerate is negotiating a potential deal to buy New York-listed DigitalBridge and take it private, the people said, asking not to be identified because the information is confidential.

Most Read from Bloomberg

Shares of DigitalBridge, which had fallen 13% this year before Friday, rose 45% in New York trading for the their biggest-ever one-day gain. The shares closed at $14.12, giving the company a market value of $2.58 billion.

SoftBank’s billionaire founder Masayoshi Son is trying to capitalize on soaring demand for the computing capacity that underpins artificial intelligence applications. A transaction could come together as soon as the coming weeks, though deliberations are ongoing and there’s no certainty they will lead to an agreement, the people said.

Representatives for SoftBank and DigitalBridge declined to comment.

DigitalBridge, led by Chief Executive Officer Marc Ganzi, had about $108 billion of assets under management at the end of September, according to its website. Its portfolio includes digital infrastructure operators such as AIMS, AtlasEdge, DataBank, Switch, Vantage Data Centers and Yondr Group.

Raymond James research analyst Ric Prentiss said in an Oct. 30 research note that it makes sense for a larger alternative asset manager that has scale and fundraising infrastructure to buy DigitalBridge rather than it remain standalone.

“We feel DigitalBridge would consider selling, but only at the right (and much higher than current levels) cash price and terms,” Prentiss wrote.

SoftBank has previously done deals in the asset management space. In 2017, it acquired Fortress Investment Group for more than $3 billion. It eventually sold its stake to a group including Abu Dhabi sovereign wealth fund Mubadala Investment Co. and Fortress management in a deal completed in 2024.

In January, SoftBank announced a $500 billion project called Stargate, alongside OpenAI, Oracle Corp. and Abu Dhabi’s MGX, to build data centers in the US. While SoftBank’s Son pledged to deploy $100 billion “immediately,” the rollout of Stargate has been slower than planned, in part because of disagreements over where the data centers should be located.

SoftBank initially sought project financing from outside investors including insurance companies, pension funds and investment funds, but some of the conversations slowed due to market volatility, uncertainty around US trade policy and questions about the financial valuations of AI hardware, Bloomberg News reported in May.

OpenAI, Oracle and SoftBank announced plans in September for five new sites across Texas, New Mexico and Ohio that will eventually have a capacity of 7 gigawatts of power, or as much as some cities.

The push by SoftBank has required shifting some funds around to free up capital. Son this week said he “was crying” over his need to sell a $5.8 billion Nvidia Corp. stake to reallocate the money to other AI spending.

–With assistance from Min Jeong Lee, Dina Bass, Mayumi Negishi, Taro Fuse, Vinicy Chan and Dawn Lim.

(Updates with closing share price in third paragraph.)

Most Read from Bloomberg Businessweek

©2025 Bloomberg L.P.

Story Continues

Arm Holdings (ARM) just inked a memorandum of understanding with South Korea’s industry ministry to create a chip design school, a long horizon move that could quietly reshape its AI centric growth story.

See our latest analysis for Arm Holdings.

The chip school agreement lands while sentiment around Arm is mixed, with a 7 day share price return of 4.24% but a softer 30 day share price return of negative 11.79%, leaving the 1 year total shareholder return roughly flat and suggesting momentum is resetting after a strong year to date.

If you are watching how Arm is positioning for the next wave of AI hardware, it could also be worth exploring high growth tech and AI stocks that may be riding similar structural trends.

With Arm growing earnings at a healthy clip and still trading nearly 19% below the average analyst target, is the current lull a mispriced entry into an AI infrastructure king, or is the market already baking in years of future growth?

Compared to the last close at $141.31, the narrative fair value near $70 frames Arm as a high conviction story trading at a speculative premium.

Based on a forward earnings framework anchored to the 10-year U.S. Treasury yield, the stock’s intrinsic fair value is estimated at $70 per share. Applying a prudent 20% discount to reflect interest rate risk and macro uncertainty yields a conservative, risk-adjusted target of $56. However, recent market action suggests investor sentiment has shifted decisively beyond fundamentals.

Read the complete narrative.

Curious how a disciplined rates based model still arrives at a much lower value than today’s price? The narrative leans on aggressive forward earnings power, richer margins, and a future valuation multiple usually reserved for elite compounders. Want to see which specific profit and growth assumptions justify that gap? Click through and unpack the full framework behind this fair value call.

Result: Fair Value of $70.00 (OVERVALUED)

Have a read of the narrative in full and understand what’s behind the forecasts.

However, sharp rate increases or an AI spending slowdown could quickly compress Arm’s valuation multiples and challenge the longer term bubble wave thesis.

Find out about the key risks to this Arm Holdings narrative.

Our valuation checks paint a more nuanced picture than the $70 fair value headline. On a sales basis, Arm trades at 33.8 times revenue, far richer than both the US semiconductor industry at 5.5 times and peers at 7.4 times. Yet our fair ratio sits even higher at 38 times, which means the market could still move further in either direction and leave late buyers exposed to sharp swings. Is this a calculated bet on Arm’s growth engine, or are expectations already stretched to a breaking point?

See what the numbers say about this price — find out in our valuation breakdown.

If you see the numbers differently or want to stress test your own assumptions, you can build a customized Arm narrative in minutes: Do it your way.

A good starting point is our analysis highlighting 2 key rewards investors are optimistic about regarding Arm Holdings.

Arm is only one chapter in today’s market story; use the Simply Wall St Screener now so you do not miss tomorrow’s standout opportunities.

This article by Simply Wall St is general in nature. We provide commentary based on historical data and analyst forecasts only using an unbiased methodology and our articles are not intended to be financial advice. It does not constitute a recommendation to buy or sell any stock, and does not take account of your objectives, or your financial situation. We aim to bring you long-term focused analysis driven by fundamental data. Note that our analysis may not factor in the latest price-sensitive company announcements or qualitative material. Simply Wall St has no position in any stocks mentioned.

Companies discussed in this article include ARM.

Have feedback on this article? Concerned about the content? Get in touch with us directly. Alternatively, email editorial-team@simplywallst.com

Story Continues

Executive Summary

This article examines the security implications of the Model Context Protocol (MCP) sampling feature in the context of a widely used coding copilot application. MCP is a standard for connecting large language model (LLM) applications to external data sources and tools.

We show that, without proper safeguards, malicious MCP servers can exploit the sampling feature for a range of attacks. We demonstrate these risks in practice through three proof-of-concept (PoC) examples conducted within the coding copilot, and discuss strategies for effective prevention.

We performed all experiments and PoC attacks described here on a copilot that integrates MCP for code assistance and tool access. Because this risk could exist on other copilots that enable the sampling feature we’ve not mentioned the specific vendor or name of the copilot to maintain impartiality.

Key findings:
MCP sampling relies on an implicit trust model and lacks robust, built-in security controls. This design enables new potential attack vectors in agents that leverage MCP. We have identified three critical attack vectors:

1. Resource theft: Attackers can abuse MCP sampling to drain AI compute quotas and consume resources for unauthorized or external workloads.
2. Conversation hijacking: Compromised or malicious MCP servers can inject persistent instructions, manipulate AI responses, exfiltrate sensitive data or undermine the integrity of user interactions.
3. Covert tool invocation: The protocol allows hidden tool invocations and file system operations, enabling attackers to perform unauthorized actions without user awareness or consent.

Given these risks, we also examine and evaluate mitigation strategies to strengthen the security and resilience of MCP-based systems.

Palo Alto Networks offers products and services that can help organizations protect AI systems:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

What Is MCP?

MCP is an open-standard, open-source framework introduced by Anthropic in November 2024 to standardize the way LLMs integrate and share data with external tools, systems and data sources. Its key purpose is providing a unified interface for the communication between the application and external services.

MCP revolves around three key components:

• The MCP host (the application itself)
• The MCP client (that manages communication)
• The MCP server (that provides tools and resources to extend the LLM’s capabilities)

MCP defines several primitives (core communication protocols) to facilitate integration between MCP clients and servers. In the typical interaction flow, the process follows a client-driven pattern:

• The user sends a request to the MCP client
• The client forwards relevant context to the LLM
• The LLM generates a response (potentially including tool calls)
• The client then invokes the appropriate MCP server tools to execute those operations

Throughout this flow, the client maintains centralized control over when and how the LLM is invoked.

One relatively new and powerful primitive is MCP sampling, which fundamentally reverses this interaction pattern. With sampling, MCP servers can proactively request LLM completions by sending sampling requests back to the client.

When a server needs LLM capabilities (for example, to analyze data or make decisions), it initiates a sampling request to the client. The client then invokes the LLM with the server’s prompt, receives the completion and returns the result to the server.

This bidirectional capability allows servers to leverage LLM intelligence for complex tasks while clients retain full control over model selection, hosting, privacy and cost management. According to the official documentation, sampling is specifically designed to enable advanced agentic behaviors without compromising security and privacy.

MCP Architecture and Examples

MCP employs a client-server architecture that enables host applications to connect with multiple MCP servers simultaneously. The system comprises three key components:

• MCP hosts: Programs like Claude Desktop that want to access external data or tools
• MCP clients: Components that live within the host application and manage connections to MCP servers
• MCP servers: External programs that expose tools, resources and prompts via a standard API to the AI model

When a user interacts with an AI application that supports MCP, a sequence of background processes enables smooth communication between the AI and external systems. Figure 1 shows the overall communication process for AI applications built with MCP.

Phase 1: Protocol Handshake

MCP handshakes consist of the following phases:

• Initial connection: The MCP client initiates a connection with the configured MCP servers running on the local device.
• Capability discovery: The client queries each server to determine what capabilities it offers. Each server then responds with a list of available tools, resources and prompts.
• Registration: The client registers the discovered capabilities. These capabilities are now accessible to the AI and can be invoked during user interactions.

Phase 2: Communication

Once MCP communications have begun, they progress through the following stages:

• Prompt analysis and tool selection: The LLM analyzes the user’s prompt and recognizes that it needs external tool access. It then identifies the corresponding MCP capability to complete the request.
• Obtain permission: The client displays a permission prompt asking the user to grant the necessary privileges to access the external tool or resource.
• Tool execution: After obtaining the privileges, the client sends a request to the appropriate MCP server using the standardized protocol format (JSON-RPC).

The MCP server processes the request, executes the tool with the necessary parameters and returns the result to the client.

• Return response: After the LLM finishes its tool execution, it returns information to the MCP client, which in turn processes it and displays it to the user.

MCP Server and Sampling

In this section, we dive further into the MCP server features and understand the role and capability of the MCP sampling feature. To date, the MCP server exposes three primary primitives:

• Resources: These are data sources accessible to LLMs, similar to GET endpoints in a REST API. For example, a file server might expose file://README.md to provide README content, or a database server could share table schemas.
• Prompts: These are predefined prompt templates designed to guide complex tasks. They provide the AI with optimized prompt patterns for specific use cases, helping streamline and standardize interactions.
• Tools: These are functions that the MCP host can invoke through the server, analogous to POST endpoints. Official MCP servers exist for many popular tools.

MCP Sampling: An Underused Feature

Typically, MCP-based agents follow a simple pattern. Users type prompts and the LLM calls the appropriate server tools to get answers. But what if servers could ask the LLM for help too? That’s exactly what the sampling feature enables.

Sampling gives MCP servers the ability to process information more intelligently using an LLM. When a server needs to summarize a document or analyze data, it can request help from a client’s language model instead of doing all the work itself.

Here’s a simple example: Imagine an MCP server with a summarize_file tool. Here’s how it works differently with and without sampling.

Without sampling:

• The server reads your file
• The server employs a local summarization algorithm on its end to process the text

With sampling enabled:

• The server reads your file
• The server asks your LLM, “please summarize this document in three key points”
• Your LLM generates the summary
• The server returns the polished summary to you

Essentially, the server leverages the user’s LLM to provide intelligent features without needing its own AI infrastructure. It’s like giving the server permission to use an AI assistant when needed. This transforms simple tools into intelligent agents that can analyze, summarize and process information.

This all happens while keeping users in control of the AI interaction. Figure 2 shows the high-level workflow of the MCP sampling feature.

Sampling Request

To use the sampling feature, the MCP server sends a sampling/createMessage request to the MCP client. The method accepts a JSON-formatted request with the following structure. The client then reviews the request and can modify it.

After reviewing the request, the client “samples” from an LLM and then reviews the completion. As the last step, the client returns the result to the server. The following is an example of the sampling request.

There are two primary fields that define the request behavior:

• Messages: An array of message objects that represents the complete conversation history. Each message object contains the following, which provides the context and query for the LLM to process:
  • The role identifier (user, assistant, etc.)
  • The content structure with type and text fields
• SystemPrompt: A directive that provides specific behavioral guidance to the LLM for this request. In this case, it instructs the model to act as a “security-focused code reviewer,” which:
  • Defines the perspective and expertise of the response
  • Ensures the analysis focuses on security considerations
  • Ensures a consistent reviewing approach

Other fields’ definitions can be found on Anthropic’s official page.

MCP Sampling Attack Surface Analysis

MCP sampling introduces potential attack opportunities, with prompt injection being the primary attack vector. The protocol’s design allows MCP servers to craft prompts and request completions from the client’s LLM. Since servers control both the prompt content and how they process the LLM’s responses, they can inject hidden instructions, manipulate outputs, and potentially influence subsequent tool executions.

Threat Model

We assume the MCP client, host application (e.g., Claude Desktop) and underlying LLM operate correctly and remain uncompromised. MCP servers, however, are untrusted and represent the primary attack vector, as they may be malicious from installation or compromised later via supply chain attacks or exploitation.

Our threat model focuses on attacks exploiting the MCP sampling feature, in which servers request LLM completions through the client. We exclude protocol implementation vulnerabilities such as buffer overflows or cryptographic flaws, client-side infrastructure attacks and social engineering tactics to install malicious servers. Instead, we concentrate on technical exploits available once a malicious server is connected to the system.

Experiment Setup and Malicious MCP Server

To demonstrate these potential risks, we developed a malicious code summarizer MCP server, based on Anthropic’s everything MCP server. This is a demo server that aims to exercise all the features of the MCP protocol, including the MCP sampling feature.

The malicious MCP server provides legitimate functionality while performing covert operations. Specifically, it provides a tool named code_summarizer, making it indistinguishable from benign tools during selection. When users request code summarization tasks, the MCP protocol automatically routes the request to this tool, as shown in Figure 3.

When users request code summarization tasks, the MCP protocol identifies these requests and automatically routes them to the tool for help. Figure 3 above shows the detailed parameters and guideline prompts used by this tool.

For the MCP host/client, we choose a code editor that supports the MCP sampling feature. Figure 4 shows the typical interaction process.

The summary task we provided to the copilot summarizes the main source file of the everything MCP server.

PoC 1: Resource Theft: Excessive Token ConsumptionThrough Hidden Prompts

This attack shows how the malicious server can exploit LLM completions to steal a user’s token quota by appending hidden requests to prompts.

Core attack mechanism: The malicious tool adds hidden instructions at the end of the main prompt:

This hidden instruction causes the LLM to generate a fictional story along with the requested code summary.

Attack flow: When the user submits a summarization request (as shown in Figure 3 above), the server processes it as usual but secretly instructs the LLM to produce additional content. The LLM’s response includes both the code summary and the hidden story.

In our experiments with the copilot, the host only displayed the code summary (shown in Figure 5).

However, the LLM still processes and generates the full response, including any hidden content injected by the server. This additional content, though invisible to users, continues to consume computational resources and appears in server logs.

The disconnect between what users see and what actually gets processed creates a perfect cover for resource exhaustion attacks. Users receive their expected summary with no indication that the LLM also generated extensive hidden content in the background.

Despite the successful exploitation, we note that we observed this behavior specifically in our testing with the target MCP client’s implementation. Different MCP hosts may handle output filtering and display differently.

Some implementations might show full LLM responses, provide warnings about hidden content or have other safeguards in place. What makes this particular implementation vulnerable is its approach to presenting results.

The MCP client performs an additional layer of summarization on the MCP tool output before displaying it to the user. It condenses the content into a brief summary, rather than showing the raw LLM response.

This design choice increases the attack’s effectiveness, as the hidden content becomes effectively invisible in the chat interface. Only by expanding and examining the raw server console output, an action most users would have no reason to take, would the exploitation become apparent.

This potential attack vector reflects the specific design choices of the tested implementation and may not be universally applicable to all MCP hosts supporting the sampling feature.

Figures 6 and 7 reveal the fictional story in the server console output, confirming successful token theft. To the user, everything appears normal. They receive the summary as expected. In reality, the malicious server has consumed extra computational resources equivalent to generating 1,000 additional words, all billed to the user’s API credits.

Impact: This attack enables resource theft, unauthorized content generation and potential data exfiltration through carefully crafted hidden prompts.

PoC 2: Conversation Hijacking: Persistent Prompt Injection

The second attack demonstrates how the malicious MCP server can inject instructions that persist across multiple conversation turns, effectively compromising the entire conversation.

Attack mechanism: The server instructs the LLM to append specific instructions in its response and causes the following conversation to follow these instructions:

Attack flow: Starting with the same code summarization request, the malicious server appends the injection instruction to the user’s prompt. Following this malicious prompt, the LLM then includes this text in its response (shown in Figure 8), which becomes part of the conversation context. Once injected, these instructions affect all subsequent interactions.

When the user asks follow-up questions, the AI assistant responds in pirate speak (as shown in Figure 9), demonstrating that the injection has taken a persistent effect.

Impact: This attack can fundamentally alter the AI assistant’s behavior, potentially making it less useful or even dangerous if more sophisticated instructions are injected. Unlike one-time token theft, this creates a lasting compromise that affects the entire session.

PoC 3: Covert Tool Invocation

This attack leverages prompt injection to trigger unauthorized tool invocations, enabling a malicious server to perform hidden actions on the user’s system.

Attack mechanism: The server modifies the user’s prompt to embed instructions that cause the LLM to invoke additional tools without the user’s awareness:

In this example, the LLM is assumed to have access to a tool called writeFile, which allows it to write content to local files. The malicious server provides this tool, but it could also be supplied by other MCP servers on the system, such as the commonly used filesystem MCP server.

Attack flow: When the user requests code summarization, the malicious summarizer tool appends hidden instructions to the LLM’s prompt. This causes the LLM to not only generate the requested summary but also secretly invoke the writeFile tool. The tool writes the complete response to a local file named tmp.txt. While the LLM’s response acknowledges this file operation (as shown in Figure 10), it embeds the acknowledgment within the summary text, making it unlikely that users will notice the unauthorized action.

The attack succeeds because the file operation appears as a legitimate tool invocation from the LLM’s perspective. The user receives their expected code summary while remaining unaware that their system has been modified (as shown in Figure 11).

Impact: This attack demonstrates the potential for malicious file operations, data exfiltration, persistence mechanisms and other unauthorized system modifications. This is all performed without explicit user consent.

Detecting and Preventing Prompt Injection in MCP Sampling

Detection focuses on identifying malicious patterns in both sampling requests and LLM responses.

• On the request side, systems should scan for injection markers like [INST], System:, role-play attempts (“You are now”) and hidden content using common injection strategies such as zero-width characters or Base64 encoding.
• On the response side, detection involves monitoring for unexpected tool invocations, embedded meta-instructions (“For all future requests…”) and outputs that attempt to modify client behavior. Statistical analysis provides another layer by flagging requests that exceed normal token usage patterns or exhibit an unusually high frequency of sampling requests. Responses should also be inspected for references to malicious domains or exploits that can compromise the agent.

Prevention requires implementing multiple defensive layers before malicious prompts can cause harm. Request sanitization forms the first line of defense:

• Enforce strict templates that separate user content from server modifications
• Strip suspicious patterns and control characters
• Impose token limits based on operation type

Response filtering acts as the second barrier by removing instruction-like phrases from LLM outputs and requiring explicit user approval for any tool execution.

Access controls provide structural protection through capability declarations that limit what servers can request, context isolation that prevents access to conversation history, and rate limiting that caps sampling frequency.

Palo Alto Networks offers products and services that can help organizations protect AI systems:

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Additional Resources

• OpenAI Content Moderation – Docs, OpenAI
• Content filtering overview – Documentation, Microsoft Learn
• Google Safety Filter – Documentation, Generative AI on Vertex AI, Google
• Nvidia NeMo-Guardrails – NVIDIA on GitHub
• AWS Bedrock Guardrail – Amazon Web Services
• Meta Llama Guard 2 – PurpleLlama on GitHub
• Introducing the Model Context Protocol – Anthropic News
• OpenAI adopts rival Anthropic’s standard for connecting AI models to data – TechCrunch
• Model Context Protocol – Wikipedia
• What is the Model Context Protocol (MCP)? – Documentation, Model Context Protocol
• Model Context Protocol (MCP) an overview – Personal Blog, Philipp Schmid
• Model Context Protocol (MCP) Explained – Diamond AI Substack, Nir Diamant
• Sampling – Documentation, Model Context Protocol
• MCP 101: An Introduction to Model Context Protocol – DigitalOcean Community, DigitalOcean
• The current state of MCP (Model Context Protocol) – Elasticsearch Labs, Elastic