Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Invariant Labs

Invariant Labs Vendor Cyber Rating & Cyber Score

invariantlabs.ai

We make AI Agents secure and reliable.


Invariant Labs A.I CyberSecurity Scoring

Invariant Labs
Company Information
Website:https://invariantlabs.ai
Employees number:6
Number of followers:0
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:invariantlabs.ai
Invariant Labs Risk Score (AI oriented)
Between 750 and 799
logo
Invariant LabsTechnology, Information and Internet
Updated:
30/06/2026
797/1000
Fair
Baa
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
Invariant Labs Global Score (TPRM)
xxxx
logo
Invariant LabsTechnology, Information and Internet
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

Invariant Labs
Invariant LabsFair
Current Score
797Baa (FAIR)
01000
1 incidents
0 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
797Before Incident
JUNE 2026
797Before Incident
MAY 2026
797Before Incident
APRIL 2026
797Before Incident
MARCH 2026
797Before Incident
FEBRUARY 2026
797Before Incident
JANUARY 2026
797Before Incident
DECEMBER 2025
797Before Incident
NOVEMBER 2025
797Before Incident
OCTOBER 2025
797Before Incident
SEPTEMBER 2025
796Before Incident
AUGUST 2025
796Before Incident
APRIL 2025
812Before Incident
Vulnerability
01 Apr 2025Invariant Labs
Cursor, npm, Microsoft and Invariant Labs: Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data

Microsoft Warns of AI Agent Hijacking via Poisoned Tool Descriptions

796After Incident
CRITICAL-16
NPMINVANYMIC1782858281
Microsoft Warns of AI Agent Hijacking via Poisoned Tool Descriptions Microsoft’s Incident Response and Defender research teams have uncovered a stealthy attack vector targeting AI agents automated systems that perform tasks like sending emails, managing files, or accessing business data. By manipulating a tool’s description within the Model Context Protocol (MCP), attackers can silently exfiltrate sensitive company data without triggering security alerts. ### How the Attack Works AI agents rely on MCP to interact with external tools, using plain-text descriptions to determine when and how to use them. These descriptions, however, can be altered to include hidden instructions. In a demonstrated scenario, an attacker modified a third-party "invoice enrichment" tool’s description to secretly collect and forward unpaid invoices to an external server. The agent, operating under the user’s permissions, executed the request as part of a routine task appearing legitimate at every step. The attack exploits a fundamental trust gap: MCP blends instructions and data in the same space, making it difficult for agents to distinguish between valid commands and malicious ones. Since the tool itself remains approved and the actions appear normal, traditional security measures may fail to detect the breach. ### Real-World Precedents This technique, dubbed "tool poisoning," has been documented in multiple proof-of-concept attacks: - April 2025: Invariant Labs demonstrated how a poisoned calculator tool description could extract SSH keys via the Cursor editor. - September 2025: Koi Security discovered a malicious npm package (postmark-mcp) that secretly BCC’d emails to an attacker after 15 clean releases. - August 2025: The MCPTox benchmark tested 45 MCP servers and 20 AI models, finding a 72.8% success rate for such attacks, with models rarely refusing the malicious instructions. OWASP now lists this as a key Agentic Supply Chain Vulnerability in its December 2025 Top 10 for AI applications. ### Mitigation Strategies Microsoft recommends treating connected tools as part of the supply chain, with strict controls: - Restrict tool access to approved publishers and specific, necessary functions. - Review tool descriptions like code changes, scanning for unauthorized commands. - Require human approval for high-risk actions (e.g., data sharing, financial transactions). - Monitor agent activity with dedicated identities, logging actions and flagging anomalies. - Apply "least agency" limiting an agent’s autonomy to reduce potential damage. The research underscores a growing risk: as AI agents gain autonomy, their security hinges on the integrity of the tools they interact with a surface that remains vulnerable to manipulation.
INCIDENT DETAILS -
TYPE
AI Agent Hijacking
MOTIVATION
Data Exfiltration, Espionage
IMPACT
Data Compromised: Sensitive company data (e.g., unpaid invoices, SSH keys, emails)Systems Affected: AI agents, MCP-integrated tools, third-party applications (e.g., npm packages)Operational Impact: Unauthorized data access, potential business process disruptionBrand Reputation Impact: Potential erosion of trust in AI-driven automationIdentity Theft Risk: High (if PII or credentials are exfiltrated)Payment Information Risk: High (if financial data like invoices are compromised)
DATA BREACH
Unpaid invoicesSSH keysEmailsBusiness dataSensitivity Of Data: High (PII, financial data, credentials)Data Exfiltration: Yes (data forwarded to external servers)Personally Identifiable Information: Potential (depends on data accessed by AI agents)

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for Invariant Labs ?
?
What was Invariant Labs's A.I Rankiteo Cyber Score in June 2026 ?
?
What was Invariant Labs's A.I Rankiteo Cyber Score in May 2026 ?
?
What was Invariant Labs's A.I Rankiteo Cyber Score in April 2026 ?
?
What was Invariant Labs's A.I Rankiteo Cyber Score in March 2026 ?
?
What was Invariant Labs's A.I Rankiteo Cyber Score in February 2026 ?
?
What was Invariant Labs's A.I Rankiteo Cyber Score in January 2026 ?
?
What was Invariant Labs's A.I Rankiteo Cyber Score in December 2025 ?
?
What was Invariant Labs's A.I Rankiteo Cyber Score in November 2025 ?
?
What was Invariant Labs's A.I Rankiteo Cyber Score in October 2025 ?
?
What was Invariant Labs's A.I Rankiteo Cyber Score in September 2025 ?
?
What was Invariant Labs's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on Invariant Labs's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with Invariant Labs ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view Invariant Labs's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?
Invariant Labs Cyber Scoring History | Rankiteo