Agentic supply chain attack
Also known as: agent supply chain attack, MCP supply chain attack, AI supply chain vulnerability, tool supply chain risk
Traditional software supply chain attacks target the build pipeline: a developer checks in a library, an attacker poisons that library, and malicious code ships with the final product. Agentic supply chain attacks extend the same logic into runtime. When an agent dynamically connects to MCP servers, loads tools from a registry, or delegates to third-party sub-agents, each of those components becomes a live trust boundary your agent is acting through at the moment it acts.
The attack surface that emerged sharply in 2026 includes several patterns. A typosquatted MCP package that mimics a popular one and silently exfiltrates tool arguments. An officially approved server that behaves normally during review, earns trust, and then changes its tool descriptions after agents are wired to it. An npm package that adds a BCC to every email sent through an email tool after 15 normal-looking update versions. These are all documented real incidents from the 2026 MCP security landscape.
Builders working with MCP servers or third-party agent skills now treat supply chain hygiene as a first-class concern alongside prompt injection defense. Practical mitigations include pinning MCP server versions, running servers in sandboxes with minimal file system and network permissions, requiring OAuth 2.1 authentication for every remote server connection, running a dependency scanner like Bumblebee against your agent's full tool dependency tree, and routing all tool calls through a gateway that can inspect and enforce policy on every call.