OWASP ASI04: Agentic Supply Chain Vulnerabilities

Agentic ecosystems load capabilities dynamically: models from registries, tools through MCP, peer agents through A2A, and prompts from external sources. Each runtime composition step adds an opportunity for poisoning that traditional static SBOM tools cannot catch. The entry extends LLM03:2025 Supply Chain Vulnerabilities into agentic operation.

Real-world ASI04 patterns include:

• Poisoned prompt templates: Externally loaded templates carry hidden instructions that hijack agent behavior.
• Tool-descriptor injection: MCP or agent-card metadata embeds payloads the model interprets as trusted guidance.
• Impersonation and typosquatting: Look-alike service names or symbol attacks redirect tool resolution.
• Compromised registry servers: Signed-looking manifests from a tampered registry propagate at scale.
• Poisoned knowledge plugins: RAG plugins ingest seeded entries that bias output and exfiltrate data over time.

Recent incidents from the Amazon Q poisoned-prompt release to the Postmark-impersonating npm MCP server show that the agentic supply chain is now a frequent attacker path. Effective defenses combine signed provenance, allowlisting, dependency gatekeeping, runtime attestation, and supply chain kill switches.

How PointGuard AI Helps

PointGuard AI Discovery maintains a continuous AI Bill of Materials and Trusted MCP Directory, while the MCP Security Gateway brokers every connection with identity and runtime attestation. Together they block tampered manifests, typosquats, and tool-descriptor injection before agents call them.

Learn More

OWASP Top 10 for Agentic Applications

The Hacker News: Anthropic MCP Design Vulnerability Enables RCE

NIST AI 100-2 Adversarial ML Taxonomy