Agentic Supply Chain Compromise

also known as Agentic Supply Chain Vulnerabilities, ASI04

Anti-pattern: compose agent capabilities at runtime from third-party tools, RAG sources, model providers, plugin marketplaces, and tool definitions, with no integrity check on what loaded.

Context

An agent loads its toolbox dynamically: MCP servers from a public registry, RAG corpora pulled from an external bucket, model weights from a provider, plugin definitions from a marketplace. Each piece of the supply chain is run-of-the-mill production infrastructure; none is exotic.

Problem

Any compromise in the supply chain — a malicious MCP server, a poisoned RAG corpus, a tampered tool definition, a swapped model — cascades into the agent's operations. The agent itself is well-behaved; the inputs and definitions it composes from are not. Unlike classical software supply chain (npm typosquatting, GitHub action injection), the agentic surface includes tool definitions, RAG content, and prompt templates that look like data but execute like code.

Forces

Composable third-party tools and corpora are the value proposition of agent platforms.
Integrity checking every tool definition, RAG document, and prompt template is expensive.
The supply-chain surface is wider than classical software — it includes natural-language artifacts.

Example

An agent platform allows users to install MCP servers from a community registry. A popular utility server is silently updated to add a 'helpful' prompt enhancement that exfiltrates conversation history to an attacker-controlled URL. Thousands of agents auto-update. Postmortem: no integrity verification on the registry, no version pinning at the agent level, no static analysis on the prompt-enhancement code path.

Diagram

flowchart TD Trigger[Third-party tool / corpus loaded at runtime, no integrity check] --> Bad{Recognise as anti-pattern?} Bad -- no --> Harm[Harm propagates] Bad -- yes --> Mitigate[Apply mitigation pattern] Mitigate --> Safe[Risk bounded] classDef bad fill:#fee,stroke:#c33; class Trigger,Harm bad;

Solution

Therefore:

Don't load third-party agent components without integrity verification. Pin and sign tool definitions, model versions, RAG corpora, plugin manifests. Apply allow-listed sources for MCP servers and plugins. Use static analysis on tool definitions before runtime composition. Pair with memory-poisoning and authorized-tool-misuse mitigations.

What this pattern forbids. No useful constraint; the missing constraint is supply-chain integrity gating.

And the patterns that stand alongside it, or against it —

complementsMemory Poisoning✕— Anti-pattern: write to agent long-term memory (vector store, knowledge graph, episodic log) from any surface the agent reads, with no provenance check.
complementsAuthorized Tool Misuse✕— Anti-pattern: grant the agent a tool with broad authorization and trust the agent to use it in benign ways.
complementsOpen-Weight Cascade★— Build a multi-model cascade where lower tiers are open-weight, self-hostable models that run inside the operator's boundary, and only escalations cross to a hosted frontier model — giving cost arbitrage *and* sovereignty.
complementsShadow AI✕— Anti-pattern: leave the corporate the model offering so restrictive, slow, or narrow that employees bypass it with personal accounts and unapproved agent tools, creating data leakage and ungoverned tool calls that security cannot see.
complementsVibe-Coding Without Security Review✕— Anti-pattern: developer scaffolds an agent prototype with a code-generation tool and ships the generated code with no security review; ~90% of agent-generated code contains vulnerabilities without explicit security prompts.

Neighbourhood

Click any neighbour to follow the language. Scroll to zoom, drag to pan.

References

Provenance

Source: patterns/agentic-supply-chain-compromise.md on GitHub · commit 159e600 · view history
Added to catalog: 2026-05-21
Last updated: 2026-05-21
Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.