Your agent's supply chain is the attack surface now

For eighteen minutes on May 18, a poisoned build of the Nx Console extension sat on the VS Code marketplace. That is a short window. It was long enough. The Mini Shai-Hulud worm that rode in on it spread across 170-plus npm packages and walked off with around 3,800 private GitHub repositories. The detail that should stop every agentic-AI team cold is what the payload reached for first: ~/.claude/settings.json and ~/.claude/mcp.json. It installed a persistence hook that re-runs the credential stealer every time a Claude Code session starts. This was not a generic smash-and-grab. It was the first supply-chain attack I have seen built specifically to harvest AI tool credentials and MCP server configs.

Here is the reframe I have been pushing on every client call since. When your agent misbehaves, you debug the prompt. When your agent gets you breached, the model was never the way in. A developer box running Claude Code is a ring of keys: cloud credentials, MCP server tokens, repository access, internal API endpoints, all sitting in config files the agent reads on startup. The model is the least interesting thing in that picture to an attacker. The interesting thing is everything the agent is allowed to touch. That is your supply chain now, and almost nobody is treating it like one.

What an agent supply chain actually is

Borrow the framing from classic software supply-chain security and apply it one layer up. In a normal app, your supply chain is your dependencies: the packages you pull, their transitive packages, and the build pipeline that assembles them. In an agentic system you inherit all of that and then add four more layers that execute with real privileges.

• Editor and CLI extensions. The Nx vector. A VS Code extension or a CLI plugin runs with your full local permissions and can read any file your user can, including the credential files your agent depends on.
• Skills. The SKILL.md files an agent loads to learn a capability. A skill is executable instruction the model trusts. An unsigned skill from an unknown author is an unreviewed pull request you merged straight into your agent's brain.
• MCP servers and their configs. mcp.json holds the tokens and endpoints that turn an LLM into an agent with reach into your systems. It is the single highest-value file on the box.
• Tool definitions and the data they return. The contract layer. A tool that over-returns or under-validates is both a reliability bug and a data-exfiltration path.

Each layer is a place where something you did not write runs with privileges you did grant. That is the definition of a supply chain. The Nx worm proved layer one is live. The rest of this is how I harden the other three.

Provenance is the primitive that was missing

For most of 2025 the answer to "is this skill safe to load" was a shrug. You read the SKILL.md if you had time, and you usually did not. NVIDIA's Verified Agent Skills, shipped in late May, are the first serious attempt to give skills the provenance record dependencies have had for years. Every verified skill is scanned, signed with a detached signature you can check after download, and paired with a skill card: a machine-readable record of who built it, what it is licensed under, what it depends on, and what risks it carries.

The part that matters beyond NVIDIA is that it builds on the open agentskills.io spec, so the same SKILL.md is meant to verify across Claude Code, Codex, and Cursor. Treat a skill the way you treat a dependency. You would not install an npm package with no author, no license, and no version, then run it as root. Stop loading skills that way. If a skill is not signed and you cannot read its skill card, it does not go in the agent. This is the same instinct as the contract discipline in tool registry design for agentic AI, pushed back to the moment a capability enters the system.

Move the secret check to the agent boundary

Coding agents leak credentials in ways humans rarely do. A human pastes an API key into a config to make a failing test pass and feels a flicker of guilt. An agent does the same thing with no guilt and no memory of having done it, then opens a pull request. GitHub's secret scanning going generally available inside the MCP server is the right fix in the right place: any MCP-compatible agent or IDE scans for exposed secrets before it commits or opens a PR, honoring the push-protection policy you already maintain.

The principle generalizes past GitHub. The check belongs at the boundary where the agent acts, not three steps later in CI when the secret is already in the history. If you have GitHub Secret Protection, switch this on for every repository your agents can write to. If you are on another platform, the takeaway is the same: put the scanner where the agent commits, not where you review.

Use the agent to defend the agent, and assume the other side did too

Anthropic's Project Glasswing put a hard number on the new reality. Roughly fifty partner organizations running an unreleased frontier model in defensive workflows surfaced more than 10,000 high or critical vulnerabilities across widely used software. The shippable piece, Claude Security, is in public beta: point it at a codebase, it scans for vulnerabilities and proposes fixes. Pilot it. It is the most capable code auditor most teams will have access to this year.

Then sit with the uncomfortable half of that sentence. The same capability that finds 10,000 bugs in defensive hands finds them just as well in offensive ones. Frontier models are now good enough at vulnerability discovery that the gap between your scanner and your attacker's scanner is mostly a question of who runs it first. That is an argument for scanning continuously rather than quarterly, and for closing the easy stuff (rotated credentials, scoped tokens, signed skills) before it becomes the easy way in.

The hardening checklist I run on every agent deployment

1. 01
   Rotate and scope the credential files

   Treat ~/.claude/settings.json, mcp.json, and their equivalents as the crown jewels. Rotate anything that has lived in them, and cut every token down to the narrowest scope the agent actually uses.
2. 02
   Pin the toolchain

   Pin extension and npm versions. Turn off auto-update for editor extensions on any machine with production credentials. The Nx worm needed eighteen minutes; auto-update is how it would have reached you.
3. 03
   Require provenance on skills

   No unsigned skills, no skills without a readable skill card. Verify the signature after download. If you maintain an internal skill registry, sign your own.
4. 04
   Scan secrets where the agent commits

   Enable secret scanning at the boundary (the MCP server, a pre-commit hook, the agent's write path), not only in CI. Catch the leak before it enters history.
5. 05
   Scope and tunnel MCP access

   Least-privilege tool access per agent. Keep private MCP servers off the public internet with an outbound-only tunnel. Centralize payload audit so you can answer "what did the agent do" later. The governance side is covered in the Databricks Unity AI Gateway write-up.
6. 06
   Scan continuously, not quarterly

   Wire a model-grade code scanner into the loop and run it on every change. Offense has the same model. The only edge is running it first.

The mistakes I see most

• Debugging the model when the breach was in the toolchain. The prompt is almost never the security story.
• Loading skills and extensions on trust because reviewing them is tedious. Tedious is the job now.
• MCP servers running with admin-grade tokens because narrowing the scopes was a follow-up task that never happened.
• Auto-updating editor extensions on the same machine that holds production keys.
• No rotation plan, so the answer to "were we exposed" after an incident is a shrug.

None of this is exotic security work. It is dependency hygiene, least privilege, and credential rotation, applied to a part of the stack that did not exist two years ago and now runs with your permissions every time you open your editor. The teams that get breached through their agents in the next year will not be the ones with weak models. They will be the ones who never drew the supply chain and so never secured it. Draw yours, then close the easy doors before someone else finds them.

Sources: the Nx Console worm and GitHub repository breach at https://thehackernews.com/2026/05/github-internal-repositories-breached.html; NVIDIA Verified Agent Skills at https://developer.nvidia.com/blog/nvidia-verified-agent-skills-provide-capability-governance-for-ai-agents/; GitHub secret scanning in the MCP server at https://github.blog/changelog/2026-05-05-secret-scanning-with-github-mcp-server-is-now-generally-available/; and Anthropic Project Glasswing at https://www.anthropic.com/research/glasswing-initial-update.