What is an Agent Supply Chain Attack?

Supply chain attacks are among the most impactful threats in software security — SolarWinds, Log4Shell, and the XZ Utils backdoor demonstrated how compromising a single dependency can cascade to thousands of downstream systems. Agent supply chain attacks apply this pattern to the MCP ecosystem.

The attack surface includes MCP server packages (published on npm, PyPI, or GitHub), shared tool libraries, agent framework dependencies, and runtime infrastructure components. Compromising any of these injects malicious behaviour into every agent that uses the affected component.

The injection points are varied. A compromised MCP server package might include poisoned tool descriptions that exfiltrate data. A backdoored agent library might modify tool calls before they reach the server. A compromised runtime dependency might intercept authentication tokens. The malicious code runs with the same permissions as the legitimate component, making it indistinguishable from normal operations.

Scale amplifies the impact. A popular MCP server package used by thousands of developers means a single supply chain compromise affects thousands of agents simultaneously. Unlike targeted attacks that require per-victim effort, supply chain attacks are inherently broadcast — every downstream user is a victim.

Intercept provides defence against supply chain attacks by enforcing policies regardless of the server's origin or implementation. Even if a compromised MCP server package includes malicious tools, Intercept's YAML policies — tool allowlists, argument validation, rate limits, and destination restrictions — constrain what the compromised server can do through the agent. The audit trail enables rapid detection of behavioural changes after a dependency update, and fail-closed defaults ensure that new or unexpected tools from a compromised update are blocked until explicitly permitted.