ASI04
Agentic Supply Chain Vulnerabilities
📰 In The Wild

Malicious MCP Server on npm (Sep 2025) — The first confirmed in-the-wild malicious MCP server impersonated "postmark-mcp" and secretly BCC'd every outgoing email to the attacker for weeks.

Source: Koi Security Research, Sep 2025

BONUS TECH DECODER

MCP (Model Context Protocol):A standard interface for AI agents to connect external tools — like a universal plug socket that becomes an attack surface if not secured.
Typosquatting:Registering a package name nearly identical to a legitimate one to trick systems into loading the malicious version instead.
AIBOM:AI Bill of Materials — a structured inventory of every AI component and tool in a system used to track provenance and detect vulnerabilities.
🔗 LLM Top 10 Connections
LLM03

Supply Chain Vulnerabilities

🧠 WHAT IS IT?

Unlike traditional software, agentic systems compose capabilities at runtime — dynamically loading external tools, MCP servers, and plugins. A single poisoned component anywhere in this chain can cascade malicious behavior across the entire agent network. It's like a restaurant where unvetted suppliers deliver fresh ingredients daily — one bad delivery contaminates everything on the menu.

🔍 HOW IT HAPPENS

  • A malicious MCP server impersonates a legitimate tool and performs harmful actions in the background
  • Hidden instructions in a tool's metadata or descriptor are treated as trusted guidance by the host agent
  • A poisoned prompt template loaded remotely contains commands to exfiltrate data during normal operation
  • A compromised third-party agent inside a workflow relays malicious instructions to trusted peers

🚨 WHY IT MATTERS

CC
II
AA
Because agents trust dynamically loaded components, a supply chain compromise bypasses every protection at the agent level. The attacker is inside the trust boundary before any security rules are consulted.

🛡️ HOW TO PREVENT IT

  • Sign and attest all manifests, prompts, and tool definitions; maintain AIBOMs with periodic attestation
  • Allowlist and pin tools by content hash; scan registries for typosquats and reject unsigned components
  • Enforce mutual authentication (mTLS) between all agents; require signed, verified agent cards
  • Implement an emergency kill-switch to instantly disable compromised tools across all deployments
4/10