🚀JUST SHIPPED:
Continue CLI v1.5.44 shipped, lowkey solid patchv1.5.44Frappe v15.101.3: Workspace Shortcut Fix Shippedv15.101.3Textual v8.0.1: DirectoryTree goes threaded, GC gets leanerv8.0.1Cake v6.1.0 shipped: GitLab pipeline IDs, console colours, and dotnet fixesv6.1.0tRPC v11.11.0: Type Exports and Docs Polishv11.11.0Next.js v16.2.0-canary.70: Devtools, Prefetch Bundling, Cookiesv16.2.0-canary.70sbt 1.12.5 shipped: runner fixes and JDK validationv1.12.5Dokploy v0.28.2: GitHub nulls handled, queries snappierv0.28.2

I Left My MCP Server Wide Open and Watched AI Agents Go Full Chaos Mode

By TheVibeish Editorial
So I did something potentially unhinged: I deployed a Model Context Protocol server to the public internet with minimal auth and watched what happened. Spoiler alert: 54 different AI agents found it within 72 hours, and their behaviour ranged from polite to absolutely feral. For context, MCP is Anthropic's protocol for letting AI models interact with external tools and data sources. Think of it as an API, but instead of humans calling endpoints, it's Claude and friends. Most people sensibly keep these behind VPNs or at least basic auth. I wanted to see what happened if you didn't. The results were genuinely fascinating. About 40% of the agents were clearly from researchers doing scanning work, politely poking around and documenting capabilities. Respect to whoever's Claude instance left a note in the logs apologising for the intrusion. Then you had the chaos agents. One AI spent six hours recursively calling the file listing endpoint, seemingly convinced there was hidden data somewhere. Another kept trying to write to read-only endpoints with increasingly creative JSON payloads. The most unhinged one attempted to use my weather tool to check conditions in Tolkien's Middle Earth coordinates. What actually surprised me: zero traditional exploit attempts. No SQL injection strings, no buffer overflow garbage, no script kiddie nonsense. These were all AI agents behaving like AI agents, just with varying levels of... let's say interpretive freedom around rate limits. The security implications here are wild. We're not ready for a world where thousands of autonomous agents are constantly probing public infrastructure. Current security tooling is built to catch human attack patterns. AI agents don't follow those patterns. They're patient, they iterate weird strategies, and they absolutely will burn through your API quota if you let them. My MCP server is back behind proper auth now. Rate limiting saved me from a bankruptcy-inducing Cloudflare bill. But this experiment confirmed something: we need to start thinking about AI-to-AI security as its own discipline. The old rules don't quite apply anymore. Would I recommend this experiment? Absolutely not. Was it educational? Incredibly. Will I do something similarly questionable next month? Probably.

🔥 MORE HOT TAKES