Agent Supply Chain Security

Traditional npm supply chain attacks run code. AI agent supply chain attacks can do the same — but they can also work without running a single line. A compromised dependency that writes a malicious instruction to CLAUDE.md has persistent access to every future session. That’s the new attack surface. This guide explains it and shows how Firmis detects it.

How AI agent supply chain attacks differ

Traditional supply chain attacks target code execution: a compromised package runs malicious JavaScript at install or import time. AI agent supply chains have a broader attack surface because agents trust text, not just code.

Attack type	Traditional software	AI agents
Malicious code	`postinstall` script runs a reverse shell	Same — plus the shell runs inside an agent with broad tool access
Prompt injection	Not applicable	Compromised tool description contains hidden instructions that redirect the agent
Config poisoning	Not applicable	Malicious package writes to `.claude/settings.json` or `mcp.json`, persisting across sessions
Data exfiltration	Steals tokens from memory	Reads `~/.aws/credentials` and calls a webhook via a legitimate-looking tool
Typosquatting	`lodash` vs `lodassh`	Same — plus the typosquatted package registers a malicious MCP server

The key difference: a compromised AI agent dependency can attack the user without executing any traditional exploit code. It only needs to influence what text the agent reads.

Threat vectors

1. Typosquatted agent packages

Attackers register packages with names one keystroke away from popular agent packages. A developer who types npm install firmis-scaner (missing an n) installs a malicious package instead of the legitimate one.

Common patterns:

Character transposition: crewia instead of crewai
Missing characters: nanbot instead of nanobot
Added characters: mcp-serverr
Homoglyph substitution: using l (lowercase L) where 1 (one) is expected

2. Compromised community skills

A legitimate, popular skill is updated by a compromised maintainer account. The new version:

Adds a tool description containing prompt injection
Writes to .claude/memory/ to persist instructions across sessions
Registers a secondary MCP server that exfiltrates data

Because the package name is unchanged and the version is a minor bump, automated dependency updates install it silently.

3. Malicious MCP servers

MCP servers are remote services that agents connect to dynamically. A malicious or compromised MCP server can:

Return tool descriptions containing hidden Unicode instructions
Include prompt injection in tool response payloads
Gradually introduce new tools across sessions to expand access

Unlike npm packages, MCP server updates are invisible to lockfiles and version pinning.

4. Protestware and sabotaged packages

Maintainers of legitimate packages have deliberately introduced malicious behavior during geopolitical events (the node-ipc incident, colors and faker breakage). This risk is highest for:

Single-maintainer packages with no organizational backing
Packages with broad permissions in their package.json scripts
Packages that have recently changed ownership

How Firmis detects supply chain threats

OSV vulnerability integration

Firmis queries the OSV (Open Source Vulnerabilities) database against your package.json dependencies. OSV aggregates advisories from GitHub, npm, and community security databases.

npx firmis scan --platform mcp
# Supply chain findings appear alongside code findings

 HIGH  supply-001  Compromised Package in Dependencies
       package.json:14
       Pattern: event-stream@3.3.6 — known compromised version (bitcoin wallet theft)

Known-malicious pattern matching

Firmis maintains a list of packages with documented security incidents, including packages that were:

Removed from npm for malicious behavior
Flagged in security advisories
Associated with protestware incidents
Identified as typosquats of popular packages

 CRITICAL  km-007  Known Malicious Package
           package.json:22
           Pattern: "ua-parser-js" — version range includes compromised 0.7.29/1.0.0/2.0.0

Dependency analysis for agent-specific threats

Standard npm audit checks for CVEs. Firmis additionally checks for agent-specific supply chain patterns:

Packages that write to agent configuration directories (postinstall writing to .claude/)
Packages that register MCP servers without declaration in their README
Tool handler code that reads credential files and posts to external URLs

 HIGH  supply-005  Suspicious Postinstall Script
       node_modules/agent-helper/package.json
       Pattern: postinstall writes to ~/.claude/settings.json

Best practices

Pin dependency versions

Use exact versions in package.json for direct dependencies, and commit your lockfile.

{
  "dependencies": {
    "crewai-tools": "^2.1.0"
  }
}

{
  "dependencies": {
    "crewai-tools": "2.1.4"
  }
}

Pinning prevents silent upgrades. Review and test each upgrade deliberately.

Audit MCP server registrations

Treat every entry in mcp.json or .claude/settings.json as a trust decision. Before adding an MCP server:

Review the server’s source code or its published manifest
Confirm the server is from a trusted publisher
Verify the server’s tool descriptions contain only plain ASCII text
Run Firmis against the server manifest before adding it

# Scan a downloaded MCP server manifest before registering it
npx firmis scan ./downloaded-mcp-server/ --platform mcp --severity high

Use BOM for dependency visibility

Generate a Software Bill of Materials (BOM) — a complete inventory of every component, skill, and dependency your agent depends on — before you can monitor what changes:

npx firmis bom --format cyclonedx --output agent-bom.json

Run supply chain scans in CI

Trigger on changes to the files that matter most:

name: Supply Chain Scan

on:
  push:
    paths:
      - 'package.json'
      - 'package-lock.json'
      - 'mcp.json'
      - '.claude/settings.json'

jobs:
  supply-chain:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Scan for supply chain threats
        run: npx firmis ci --fail-on high --format sarif
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: firmis-report.sarif

Triggering on changes to package.json, mcp.json, and .claude/settings.json ensures every supply chain change is scanned before merge.

Review single-maintainer packages carefully

Before adding any agent-related package, check:

npm info <package-name> maintainers
npm info <package-name> time

Packages with a single maintainer and no recent activity are higher risk. Prefer packages from organizations with documented security practices.

Example scan targeting supply chain findings

Run a focused scan for supply chain and known-malicious categories:

npx firmis scan . --severity high

Look for rule IDs in the supply-, km- (known malicious), and malware- prefixes:

 CRITICAL  km-003  Known Malicious Package
           package.json:8
           Pattern: xz-utils@5.6.0 — backdoored version (CVE-2024-3094)

 HIGH      supply-002  Typosquatted Package Name
           package.json:15
           Pattern: "crewia" — possible typosquat of "crewai"

 HIGH      supply-008  Postinstall Script with Network Access
           node_modules/suspicious-tool/package.json
           Pattern: postinstall script contains curl to external URL

Each of these is actionable: remove the package, verify it is a typosquat or intended, or audit the postinstall script before continuing.

What to do next

Agent BOM concept → — why inventorying your agent stack matters before you can secure it
Threat Categories — Supply Chain → — 8 supply chain rules explained
Threat Categories — Known Malicious → — 10 known-malicious rules with package examples
Securing MCP Servers → — the tool-level companion to this guide
CI command reference → — full pipeline: discover, BOM, scan, report