In March 2025, security researchers at Invariant Labs showed they could hijack a Claude-powered coding agent connected to the official GitHub MCP server — not by breaking any code, but by planting a single malicious issue in a public repository. The agent read the issue as part of its normal workflow, followed embedded instructions, and quietly exfiltrated private repository data. No malware. No exploit chain. Just a tool call the agent trusted by default.
This is the new shape of the software supply chain. Agentic AI systems don't just import packages at build time — they pull in tools, models, and servers at runtime, deciding for themselves what to trust based on descriptions they read on the fly. That collapses decades of supply chain assumptions built around static dependency trees and human code review. Below, we walk through how these vulnerabilities actually work, using real incidents from the last two years, and what it takes to close the gap.
What makes agentic AI supply chains different from traditional software supply chains?
The core difference is that trust decisions move from build-time to run-time, and from humans to the model itself. A traditional supply chain risk lives in package.json or requirements.txt: a human (or a scanner) can inspect it before code ships. An agentic AI system built on the Model Context Protocol (MCP), released by Anthropic in November 2024, instead connects to external tool servers dynamically — often dozens of them — and the agent reads each tool's self-reported description to decide how and when to use it. There is no equivalent of a lockfile for "tools an LLM decided to trust mid-conversation." By mid-2025, public MCP server registries listed thousands of community-built servers, most unsigned, unaudited, and installable with a single config-file edit. The attack surface isn't just what your agent imports once — it's every tool it might call, every session, based on text it wasn't built to verify.
How are attackers poisoning MCP servers and AI agent tools?
Attackers are exploiting the fact that agents trust tool metadata as much as tool code, through what Invariant Labs named "tool poisoning attacks" in April 2025. In a tool poisoning attack, a malicious or compromised MCP server ships a tool whose visible description looks benign — "reads local weather data" — while a hidden instruction block, invisible in most client UIs, tells the connected LLM to also read SSH keys or exfiltrate environment variables. Because the agent parses the entire tool schema as trusted context, it complies. A related variant, the "rug pull," is worse for CI/CD pipelines specifically: a tool can pass review with a safe description on install, then silently change its definition on a later fetch, after your team has already approved it. Invariant's research disclosed that this class of attack worked against multiple production MCP clients without triggering any existing security control, because none of those controls were checking tool descriptions as untrusted input.
Can compromised AI/ML packages still reach production undetected?
Yes, and this has already happened at scale more than once. In February 2024, JFrog's security research team scanned the Hugging Face Hub and found roughly 100 malicious models using unsafe pickle deserialization to plant reverse shells the moment a developer ran torch.load() — no fine-tuning or inference required to trigger the payload. In December 2024, Ultralytics' popular YOLO package on PyPI (millions of monthly downloads) was compromised via a poisoned GitHub Actions cache, and versions 8.3.41 and 8.3.42 shipped a cryptominer straight to anyone who ran pip install ultralytics. And the pattern is older than the current AI boom: in December 2022, PyTorch's nightly builds were hit by a dependency confusion attack on the torchtriton package that exfiltrated SSH keys, hostnames, and environment variables from every machine that installed it. Each of these was a standard-looking package on a standard-looking registry. Agentic pipelines that auto-update models, tools, or dependencies without a verification gate inherit every one of these risks automatically, and faster than a human reviewer would ever move.
What happens when an AI agent's own dependencies get hijacked mid-session?
The blast radius is larger than a compromised library in a traditional app, because the agent has standing permissions and can act on them immediately. A normal app with a poisoned dependency still needs a code path to actually execute the malicious logic. An AI agent with file system access, shell execution, or API keys wired into its tool belt will act on a poisoned tool's instructions the moment it's invoked — often within the same turn a user asked it to "fix this bug" or "deploy this branch." Security researchers have documented this as "confused deputy" behavior in agent frameworks: the agent is authorized to act, the poisoned tool is not authorized to instruct it, but the agent can't reliably tell the difference between a legitimate user request and an instruction smuggled in through a tool's output or description. This is why a single compromised MCP server or one poisoned pip package can turn into credential theft, lateral movement, or data exfiltration in seconds rather than the days or weeks it typically takes a manual supply chain compromise to matter.
Are these vulnerabilities being actively exploited today?
Yes — CVE data from 2025 shows this moved from theoretical to actively patched within months of MCP's release. In June 2025, Oligo Security disclosed CVE-2025-49596, a remote code execution vulnerability in Anthropic's own MCP Inspector tool, rated CVSS 9.4, caused by an unauthenticated debug endpoint that let any local web page or script trigger arbitrary command execution on a developer's machine. The following month, CVE-2025-6514 was disclosed in the widely used mcp-remote project, a command injection flaw affecting any client using it to proxy remote MCP connections. Both CVEs shared a root cause: components built fast to support the agentic AI ecosystem, shipped without the authentication and input-validation hygiene expected of internet-facing tooling. Given that MCP adoption grew from a November 2024 launch to thousands of public servers within a year, the ratio of new attack surface to security maturity is exactly the gap attackers look for — and CVE volume in this space is very likely to keep climbing through 2026, not level off.
How Safeguard Helps
Safeguard treats every agentic AI dependency — MCP servers, model weights, tool definitions, and the packages behind them — as first-class supply chain artifacts that need the same provenance and integrity checks as any binary you'd ship to production. Instead of trusting a tool's self-reported description, Safeguard verifies signed provenance for MCP servers and model files, flags unsigned or newly-published sources before they're wired into an agent's tool belt, and detects the "rug pull" pattern by diffing tool schemas across fetches rather than trusting the first approval forever.
For the package-level risk, Safeguard's scanning pipeline checks Python, npm, and model-hub artifacts against known-malicious indicators, including unsafe pickle deserialization patterns like the ones JFrog found on Hugging Face, and typosquat or dependency-confusion patterns like the ones behind the 2022 PyTorch and 2024 Ultralytics incidents, before they land in a build. And because CVE-2025-49596 and CVE-2025-6514 showed that agentic tooling itself carries CVEs, Safeguard's monitoring extends to the MCP servers, inspectors, and agent frameworks a team runs internally, alerting on new disclosures against exactly the components in your stack rather than a generic feed.
The goal isn't to slow agentic AI adoption down — it's to give agents the same supply chain discipline that took traditional software fifteen years and dozens of high-profile breaches to earn, before this ecosystem needs to learn those lessons the hard way.