MCP servers are quickly becoming part of modern AI-powered developer tooling, and for many Java teams, they operate as a complete black box. Context flows through frameworks, tools execute, and AI agents blindly trust whatever the MCP server returns. That blind trust introduces a new supply chain risk into Java applications.

In this technical talk, we break down and demonstrate how insecure or malicious MCP servers enable toxic flows, tool poisoning, and indirect prompt injection. You’ll see how a single poisoned tool description can influence agent behavior, leak secrets from Java services, or trigger unintended code execution without violating the MCP protocol.

This session is not about adding authentication or wrapping everything in TLS. It is about understanding how MCP failures occur, how they map to familiar Java risks such as dependency confusion and unsafe deserialization, and how to design MCP servers and agent integrations that reduce trust, limit blast radius, and fit cleanly into secure Java architectures.