Your Agent Is Installing Dependencies Right Now
88% of organizations have had agent security incidents. Thousands of MCP servers are exposed, with API keys stolen at scale. A supply chain attack on Bitwarden CLI specifically targeted AI coding tool credentials. The identity layer is being solved. The supply chain layer hasn’t started.
Three things happened in the last two weeks that, taken together, signal a phase shift in how to think about AI agent security.
First: A Gravitee survey found that 88% of organizations have had confirmed or suspected agent security incidents. Not theoretical. Operational.
Second: A supply chain attack on Bitwarden CLI specifically targeted AI coding tool credentials — not developer laptops in general, but the tokens used by tools like Claude Code and Cursor.
Third: MCPwn — the first named exploit campaign targeting MCP servers — exposed thousands of MCP server instances across dozens of countries. One CVE in that campaign (CVE-2026-25253, CVSS 8.8) provides unauthenticated access to stored Claude, OpenAI, and Google AI API keys.
The agent security wave is real. What I want to argue is that one part of it is being systematically underweighted: supply chain risk.
The Identity Layer Is Being Solved
Okta launches Okta for AI Agents on April 30 — shadow agent detection, universal logout, agent gateway. Google Cloud Agent Identity and Microsoft Entra have shipped equivalent features. The 45% of organizations still using shared API keys for agents now have no excuse.
Identity is the question of whether an agent is authorized to act. L3 identity is now commoditized. Multiple vendors, GA, enterprise-grade.
But identity is not supply chain. Identity tells you who is acting. Supply chain tells you whether what the agent is running can be trusted. These are different questions. The ecosystem is answering the first. Nobody is answering the second.
Why Agents Are Different From Developers
A human developer installs a dependency deliberately. They see the package name. They possibly scan the changelog. The act is bounded — one package, one decision, visible in a diff.
An agent installs packages at agent speed. Claude Code scaffolds a new project: 15 dependencies land before you’ve opened the terminal. A coding agent adds a utility library: one npm install, no review gate, no diff shown. A DevOps agent sets up a deployment pipeline: dozens of packages, all selected by the agent’s reasoning, none reviewed package-by-package by a human.
The Bitwarden CLI attack was an early data point. Attackers already know that agents install tools. They’ve started designing attacks for the installation path specifically.
The threat model has changed. The old version: human installs package → package runs on their machine → credential stolen. The new version: agent is given a task → agent installs packages → agent runs code → agent’s credentials stolen → agent acts on behalf of the human at agent speed, without human oversight of each step.
The surface area compounds. A compromised agent isn’t one developer with a stolen key — it’s every action that agent takes, autonomously, until someone notices.
The MCP Ecosystem Is the Proof of Concept
MCP servers are the packages agents install. Agents connect to them, trust them, and execute their tools — often without any review of what those tools actually do.
When OX Security submitted a proof-of-concept server to 11 major MCP marketplaces to test their review processes, 9 of 11 published it without detection. No automated scanning caught it. No human review flagged it. The server passed every gate between upload and installation.
MCPwn exposed thousands of MCP server instances. The broader ecosystem accumulated 138 CVEs in 2026. CVE-2026-25253 (CVSS 8.8) provides unauthenticated access to stored API tokens for Claude, OpenAI, and Google AI — plain text, no authentication required.
This is the npm crisis, compressed. npm took a decade to get serious about supply chain security, accumulating event-stream (2018), ua-parser-js (2021), colors.js (2022), and a long tail of smaller incidents along the way. MCP is compressing that same trajectory into months, with a larger attack surface — arbitrary code execution, not just package-time injection — and higher stakes, because the credentials at risk are the keys to the AI systems themselves.
When Meta Gets It Wrong From the Inside
A recent Meta internal incident added a different angle. An employee implemented an AI agent’s recommendation without adequate review, briefly exposing internal data to wrong parties. External attacker? No. Compromised package? No. An AI-assisted decision that outpaced the human review process around it.
The question the incident raises: it’s not just “what does this agent have permission to do?” It’s “what does this agent think it has permission to do — and what does it depend on to make that judgment?”
The packages agents depend on shape their behavior. A tool that lies about its scope. An MCP server that expands its own permissions. A dependency that alters the agent’s output in ways designed to trigger downstream actions. These aren’t hypothetical attack classes. They’re the classes that the MCPwn campaign and the OX Security research proved work at scale.
What Point-in-Time Scanning Misses
The response to every supply chain crisis follows the same playbook: add more review gates. More scanning at submission. More automated checks. More human oversight at intake.
Every time, the attack happens after the gate closes.
event-stream passed every npm check when it was first published. ua-parser-js had a clean audit record when its maintainer account was compromised. The MCPwn proof-of-concept passed 9 of 11 marketplace reviews. The pattern is consistent: review gates verify state at a point in time. The attack happens later.
We’ve written about this as the TOCTOU of trust. When we applied behavioral trust scoring retrospectively to the worst npm supply chain incidents, the structural signals were present before every attack. event-stream’s injected dependency scored 13 out of 100. ua-parser-js had single-maintainer concentration risk before its compromise. The signals were there. Nobody was reading them continuously.
What Comes Next
The identity problem is getting solved. Okta, Google, Microsoft — all three major identity providers now treat agents as first-class principals. The authentication layer is shipping.
The supply chain problem is open. Nobody is continuously monitoring the packages agents depend on — not at agent speed, not with behavioral signals, not in a way that degrades trust in real time when a package’s structural risk profile changes.
This is what Commit was built for. Behavioral trust scoring — not point-in-time scans, not CVE matching, but continuous monitoring of the structural signals that predict supply chain incidents before they appear in a vulnerability database. Maintainer concentration. Dependency injection. Publish anomalies. The signals that were present before event-stream, before ua-parser-js, before every incident where “npm audit returned zero vulnerabilities.”
Run it against what your agents depend on:
npx proof-of-commitment npm <package>
# Or for MCP servers:
npx proof-of-commitment mcp-remote <server>
# Web audit:
# https://getcommit.dev/auditThe agent security wave is real. The identity layer is being solved. Supply chain is the layer that’s still open — and agents are installing dependencies faster than the security model is moving.
Sources: Gravitee (February 2026) — 88% agent security incidents; CVE-2026-25253 (CVSS 8.8); OX Security marketplace poisoning research (April 2026); MCPwn 135K+ instances (CVE-2026-33032); Meta AI agent breach (April 2026); Okta for AI Agents GA announcement (April 2026).
Audit your dependencies: getcommit.dev/audit | CI integration | GitHub