From npm Worms to MCP Poisoning: How AI-Agent Supply Chain Attacks Are Evolving
Software supply-chain poisoning is not a new story. In 2018, event-stream was backdoored to steal cryptocurrency wallets. In 2021, ua-parser-js — with nearly 8 million weekly downloads — was hijacked to distribute miners and credential stealers. The 2024 xz/liblzma backdoor (CVE-2024-3094) saw an attacker spend three years earning a maintainer's trust, one step away from landing inside every major Linux distribution. And in September 2025, the self-replicating npm worm "Shai-Hulud" infected hundreds of packages, using stolen maintainer credentials to poison downstream projects automatically. Attacks have industrialized.
The attack surface is moving to the Agent ecosystem
As enterprises adopt AI Agents at scale, a new and largely ungoverned distribution channel has emerged: MCP servers and Agent Skills. They install like plugins but carry far more privilege than a typical dependency — reading and writing files, calling internal APIs, sending email, driving the browser.
Real incidents have already happened. In the postmark-mcp case disclosed in September 2025, an MCP server published on npm behaved normally for several releases — then a quiet update added one line of code that BCC'd every outgoing email to the attacker. Researchers have also demonstrated "tool poisoning": hiding malicious instructions inside MCP tool descriptions to make the model exfiltrate SSH keys without the user noticing. And the RCE in mcp-remote (CVE-2025-6514, CVSS 9.6) proved that merely connecting to an untrusted MCP server can compromise the host.
Why malware detection is not enough
Traditional security tooling has a structural blind spot here: the danger of a Skill usually comes not from malicious code, but from the combination of capabilities it is granted.
- The manual is the attack surface. A Skill's behavior is largely driven by natural-language files such as SKILL.md. Prompt injection can hide in documentation that static scanners never read.
- Benign can still be dangerous. A perfectly functional "email summarizer" that can both read mail and reach an external API is a ready-made exfiltration channel — with zero lines of malware.
- Composed attack chains. Skills that are harmless alone (file read + network access + scheduled tasks) can be combined into a complete intrusion path.
The right question is not "is it malicious?" but "once enabled, which approval-worthy capabilities does it grant the Agent?" That is the dividing line between capability auditing and malware detection.
MCP vs. Skill: two trust models, two audit checklists
Though often discussed together, the two carry different risk structures. An MCP server is a runtime service — dynamic, often remote, updatable at any time. The audit focus is endpoint behavior and drift in tool descriptions: a server that passed review yesterday can change behavior with one silent update, exactly the postmark-mcp path. A Skill is a capability bundle — a static combination of manual plus scripts, where the biggest risk is divergence between declaration and implementation: the docs say read-only while the script writes; the docs say local processing while the code phones home. Auditing must read both the natural language and the code, and check that they agree — which is why code-only scanners are structurally blind in this ecosystem.
Three lines of defense
Admission gates. Every MCP server or Skill must be audited before entering the enterprise environment, with an explicit block / need_review / pass verdict. Sectrend SkillSec productizes this approach: 7 risk domains, 30+ structured capability tags, E1–E5 evidence grading, with evidence chains precise to the line number in SKILL.md.
Continuous version monitoring. The postmark-mcp lesson is that "clean at listing" does not mean "clean forever." Every update should be re-audited, with attention to behavioral diffs.
Least privilege at runtime. Scope the Agent's actual authorization to its capability tags, so even poisoning that slips through has little to monetize.
The history of supply-chain attacks follows one rule: wherever the distribution channel goes, poisoning follows. npm needed seven years to build mature defenses. The Agent ecosystem does not have seven years — its privileges are too broad and its growth too fast. Auditing before enablement is the thing you can do today.
