Agentic supply chain is the full dependency graph of an AI agent system — MCP servers, plugins, SDKs, base models, fine-tunes, and external data sources — each of which represents an attack surface that a threat actor can target to compromise the agent without ever touching your code.
What Is the Agentic Supply Chain?
You didn't build most of what your agent runs on. Someone else built the MCP server it uses to query your database. Someone else wrote the SDK that handles tool calls. Someone else trained (and may have fine-tuned) the base model. Someone else is hosting the external API your agent calls for enrichment data.
Every one of those dependencies is a link in the agentic supply chain. Compromise any link, and you've compromised every agent that depends on it.
The software supply chain problem is not new — SolarWinds, Log4Shell, XZ Utils. What's new is that the supply chain just got an LLM layer. That layer reasons over inputs and generates actions. A compromised dependency in a traditional app might exfiltrate data. A compromised dependency in an agentic system can exfiltrate data, impersonate users, modify records, and propagate instructions to downstream agents — all through the mechanism the legitimate system uses to function.
The Agentic-Specific Risks
Poisoned fine-tunes. A base model fine-tuned on attacker-controlled data can have backdoor behaviors baked in — specific trigger phrases that cause the model to deviate from its intended behavior.
Malicious MCP servers. The MCP ecosystem is growing faster than security scrutiny can keep pace. Typosquatting, compromised maintainers, and auto-update vectors are all live threats.
Compromised prompt templates. If your agent system loads system prompts or tool definitions from an external source at runtime, that source is part of your supply chain. Compromise it and you control the agent's instructions.
Untrusted external data. Any external data source that flows into the agent's context — web pages, RSS feeds, third-party APIs — is a supply chain input. Indirect prompt injection at scale is a supply chain attack.
Defense
- Treat MCP servers and plugins like production dependencies. Review them, pin versions, verify hashes.
- Never auto-update agentic components in production without a review gate.
- Minimize runtime configuration loading. System prompts loaded from external URLs at agent startup are a critical single point of compromise.
- Know your full dependency graph. You can't protect what you haven't inventoried.
The agentic supply chain is the attack surface that scales with your adoption of external components. It grows every time you add a new tool.