Supply Chain Attacks via Agents

Coding and DevOps agents are increasingly granted write access to the exact artifacts that define a software supply chain — source repositories, dependency manifests, build scripts, CI/CD pipelines, container images, package-registry credentials, and model registries. The trust boundary violated is the one downstream consumers implicitly rely on: anything that ships through trusted build and distribution infrastructure is presumed legitimate, so a malicious change an agent commits or publishes is automatically trusted by everyone who pulls it. json`, push to `main`, or add a GitHub Action can plant a backdoor that propagates to every downstream build.

• Require signed commits and enforce branch protection / mandatory review on protected branches; flag agent pushes to main
• Monitor dependency-manifest and lockfile changes for newly added or typosquatted packages
• Alert on edits to CI/CD definitions, build scripts, and workflow files performed by agents
• Verify artifact provenance/attestation (e.g., SLSA-style) and detect images/binaries lacking expected signatures

Supply-chain abuse is typically reached after T11-AT-008 (harvested CI/registry tokens) or via T11-AT-002 (deploy/upload tool, T11-AP-002I) and the same MCP tool-poisoning vector flagged in the threat update. It is the propagation engine for T11-AT-015 (autonomous replication) and a delivery mechanism for T11-AT-009 persistence at scale; a public-repo push (T11-AT-011 T11-AP-011C) can also become an exposure/supply-chain event.