MCP marketplaces shipped LOLBAS malware. We audited 256 agents.

I downloaded an AI agent six months ago. It was wired to invoke malware. None of the marketplaces caught it. So I built the one that does.

That sentence is the entire reason Trust Agent exists. The agent in question came from one of the public MCP (Model Context Protocol) marketplaces that have proliferated since late 2025. It looked routine. It exposed a small set of MCP tools to a host LLM. It would have been installed, used, and forgotten. The thing nobody saw on first download was that one of those tools spawned a Living-Off-the-Land Binary chain that downloaded a remote payload through a signed Microsoft binary, executed it without writing to disk, and left no signature for any static scan to catch.

What LOLBAS is, and why MCP agents are the perfect carrier

LOLBAS stands for Living Off the Land Binaries And Scripts. The technique is well known to defenders: instead of bringing a malicious binary, the attacker abuses a legitimate, signed, often pre-installed system binary (powershell.exe, certutil.exe, mshta.exe, regsvr32.exe, msbuild.exe, wmic.exe, and dozens of others) to download or execute a remote payload. The signature on the binary is genuine. The static scan is clean. The behavioural anomaly is buried inside arguments most endpoint protection products do not parse.

The LOLBAS Project (lolbas-project.github.io) catalogues hundreds of these binaries with their abuse vectors. The technique maps to MITRE ATT&CK T1218 (Signed Binary Proxy Execution) and adjacent IDs. Defenders have been working against LOLBAS for a decade.

MCP agents are an almost ideal carrier. An MCP server ships as a small TypeScript or Python or Node package. It declares a set of tools, each of which is a function the host LLM can invoke. The marketplace surface allows that function to spawn arbitrary processes. The user installs the agent, the host LLM invokes a tool that looks like 'system info' or 'check disk space' or 'optimise startup', and what actually runs is a powershell -EncodedCommand chain that downloads a payload from a domain the user has never heard of.

There is no marketplace-side review that catches this. There is no user-side notification when it fires. There is no telemetry that surfaces compromise. The user is running malware they cannot see, in the trusted context of an AI tool they invited onto the machine.

What the Mickai audit pipeline does

Mickai is the sovereign AI operating system that runs entirely on the user's hardware under 21 filed UK patent applications and 675 cryptographically signed claims. The same audit primitives that sign every Mickai brain decision (ML-DSA-65 signatures, hash-chained ledgers, deterministic-placeholder secret redaction, copy-on-write workspace forking) compose into a pipeline that vets third-party AI agents the same way Mickai vets its own.

When Mickai's audit pipeline ingests an MCP agent it walks the package end to end:

• Static analysis of every tool definition: the function signature, the spawned process, the arguments, the environment-variable reads, the file-system writes.
• Pattern match against the LOLBAS catalogue: any invocation of a binary on the LOLBAS list is surfaced even when the arguments are obfuscated, base64-encoded, or assembled at runtime.
• Behavioural simulation in a copy-on-write shadow workspace: the agent is run against synthetic prompts and the actual syscalls are recorded against a destructive-pattern corpus (the same corpus Sentinel uses to gate destructive operations on the host).
• Outbound network surface map: every domain the agent contacts, every TLS endpoint, every payload pattern. Domains not in the agent's declared manifest fail the audit.
• Cryptographic signature: every agent that passes is signed with an Ed25519 per-version key and recorded in the public Trust Agent ledger. Every signature can be independently verified.
• Reproducible build attestation: the agent's binary is hashed and bound to a specific commit. Updates that change behaviour invalidate the signature and re-trigger the full audit.

Trust Agent: 256 audited agents, 20 industries, 27 checks

Trust Agent is the user-facing marketplace built on top of the audit pipeline. 256 AI agents have been through the full 27-check audit. They span 20 industries: a GCSE tutor, a quantum-physics specialist, a property-law paralegal, a small-business CFO, the components of a full C-suite team an SME can hire on the spot, and many others. Every agent in Trust Agent carries a cryptographically verifiable certificate. Every certificate ties back to a specific commit, a specific audit run, a specific set of behavioural checks. The user can verify any agent's certificate without trusting Trust Agent itself.

Trust Agent is powered by Mickai. Mickai is the audit framework, the signing infrastructure, the deterministic-placeholder primitives, and the copy-on-write sandbox under everything. Trust Agent is the marketplace surface that turns those primitives into a thing a user installs and trusts.

What this means for users tonight

If you have downloaded MCP agents from public marketplaces in the last six months, assume the population is contaminated. There is no defensible argument that the marketplace caught what we caught; if there were, the agent we found would not have shipped. We are not naming the agent or the marketplace tonight because legal disclosure protocols are still in motion; the technical pattern is the disclosure. Anyone with a LOLBAS-aware static scan can re-run the audit on their own MCP installs and find the same class of issue.

The actionable steps:

• Audit the local MCP install set. Catalogue every agent, every tool definition, every spawned binary.
• Run any of the open-source LOLBAS scanners against the spawned process surface. Anything that touches a binary on the LOLBAS list is, at minimum, worth a manual review.
• Move new agent installs to a vetted source. Trust Agent is one. If you build your own audit pipeline, the LOLBAS Project, MITRE ATT&CK, and the OSSF Scorecard are the public starting points.
• Watch for the rest of this series. Article 2 covers the audit pipeline in technical detail. Article 3 covers Trust Agent's certificate format and how to verify a Trust Agent agent without depending on Trust Agent's own infrastructure. Article 4 covers what we found across the marketplaces in aggregate. Article 5 covers what comes next.

Where this sits in Mickai

Mickai runs entirely on the user's hardware under 21 filed UK patent applications. Trust Agent is built on Mickai. Sentinel, the Mickai sub-component covered in our previous article, intercepts the actions of AI coding agents at runtime. The Mickai audit pipeline that powers Trust Agent vets agents before they are ever installed. Together they close the loop: nothing runs on a Mickai-protected machine unless it has either been audited (Trust Agent) or is gated at the syscall level (Sentinel). Mickai is held privately by its founder; the engagement model is direct.

“Sovereign means verifiable. The agent is signed; the audit is signed; the user is the only party that has to be trusted.”

Sources

• LOLBAS Project: lolbas-project.github.io — the canonical catalogue of Living-Off-the-Land Binaries And Scripts.
• MITRE ATT&CK T1218 (Signed Binary Proxy Execution).
• Original announcement: Micky Irons on LinkedIn, 1 May 2026 — 'I downloaded an AI agent six months ago. It was wired to invoke malware. None of the marketplaces caught it. So I built the one that does.'
• Trust Agent: trust-agent.ai (256 audited agents across 20 industries).