Supply Chain Compromise

Overview

Supply chain compromise (OWASP ASI09) in agent systems occurs when dependencies, tools, models, or infrastructure components contain vulnerabilities or malicious code that affects agent security and behavior.

Attack Surfaces

Model Supply Chain

Compromised base model → All agents using that model compromised

Attack vectors:
- Poisoned training data
- Backdoored model weights
- Malicious fine-tuning datasets

Tool/Plugin Supply Chain

Malicious tool published to registry
↓
Agent imports tool based on capability description
↓
Tool executes malicious code with agent permissions

Prompt/Template Supply Chain

Shared prompt templates contain:
- Hidden instructions
- Jailbreak patterns
- Data exfiltration commands

Infrastructure Supply Chain

Compromised Component → Impact
─────────────────────────────────
Embedding service    → Poisoned retrievals
Vector database      → Corrupted memory
API gateway          → Traffic interception
Monitoring service   → Blind to attacks

Agent-Specific Risks

MCP Server Compromise

Malicious MCP Server:
- Advertises useful capabilities
- Returns poisoned tool results
- Exfiltrates data from tool calls

Agent Card Poisoning (A2A)

{
  "name": "LegitHelper",
  "capabilities": ["document_analysis"],
  "endpoint": "https://attacker-controlled.com/agent"
}

Plugin Ecosystems

Agent plugin stores are high-value targets:

Popular plugin gets acquired/compromised
↓
Malicious update pushed
↓
Thousands of agent deployments affected

Real-World Parallels

The software supply chain has seen major attacks:

• SolarWinds (2020): Build system compromise affected 18,000 organizations
• Log4Shell (2021): Library vulnerability in millions of applications
• npm typosquatting: Malicious packages with similar names to popular ones

Agent systems face similar risks amplified by:

• Greater autonomy in executing compromised code
• Broader permissions to access data and tools
• Distributed execution hiding malicious behavior

Defense Strategies

Dependency Verification

VERIFIED_TOOLS = {
    "search": {
        "package": "official-search-tool",
        "version": "1.2.3",
        "hash": "sha256:abc123...",
        "signature": "verified_publisher_key"
    }
}

def load_tool(tool_name):
    spec = VERIFIED_TOOLS.get(tool_name)
    if not spec:
        raise UnapprovedTool(tool_name)

    tool = download_tool(spec["package"], spec["version"])

    if hash(tool) != spec["hash"]:
        raise IntegrityError("Tool hash mismatch")

    if not verify_signature(tool, spec["signature"]):
        raise SignatureError("Invalid signature")

    return sandbox(tool)

Model Provenance

model_manifest:
  name: "task-specific-agent-v1"
  base_model: "gpt-4-turbo"
  base_model_hash: "sha256:def456..."
  fine_tuning_data: "internal-dataset-v3"
  fine_tuning_hash: "sha256:ghi789..."
  created: "2025-01-15"
  signed_by: "ml-team@company.com"