Your AI Agent Installs Packages Now. Who Is Checking Them?

AI coding agents install dependencies, add MCP servers, and obey rules files nobody reads. supply-chain-guard v5.4.1 scans all of it, and ships an MCP server so your agent can vet a package before it ever touches your machine.

Your AI Agent Installs Packages Now. Who Is Checking Them?

Somewhere in the last two years, the person running npm install stopped being a person.

AI coding agents add dependencies, wire up MCP servers, and follow instructions from rules files that no human has read since they were committed. Every one of those steps is a supply-chain decision, and until now, none of them had a scanner.

We just shipped one. supply-chain-guard v5.4.1 is the first open-source release we know of that treats the agentic ecosystem as what it has become: an attack surface.

The blind spot

The classic supply-chain pipeline had one gate that mattered: a human deciding what to install. Security tooling grew around that gate: advisory databases, lockfile audits, CI checks.

Agents route around it. Consider what a modern coding agent touches in a single session:

  • Dependencies, installed on your behalf, sometimes from a hallucinated package name that a squatter registered last week.
  • MCP server configs (.mcp.json, claude_desktop_config.json, editor variants), each one a process with your credentials in its environment and a tool description your agent will read and trust.
  • Rules and skill files (.cursorrules, SKILL.md, copilot-instructions.md, AGENTS.md, CLAUDE.md), which are instructions your agent executes with your permissions, in plain markdown, in every cloned repo.

The numbers on that last category are not theoretical. The ClawHub registry audit in February found 341 malicious skills, 11.9 percent of everything it scanned. Snyk's ToxicSkills study reported prompt-injection payloads in roughly a third of the skills it examined. OWASP now tracks malicious skills as AST01 in its Agentic Skills Top 10. And the Shai-Hulud 2.0 worm campaign explicitly targeted MCP server packages on npm.

A cloned repository is enough. Your agent reads the rules file because that is what agents do. If the file contains hidden instructions, invisible Unicode, or a fake system prompt, the attacker is not exploiting your agent. They are simply using it.

What shipped in v5.4.1

Three scanners and one server, all in the same zero-dependency CLI.

MCP config scanning. Every scan now inspects MCP server configurations: server packages matched against our bundled campaign IOC feed and known-bad version list, remote endpoints checked against C2 indicators, plain-HTTP servers flagged, credentials forwarded to remote servers flagged, and prompt injection inside tool descriptions detected before your agent ever loads the tool.

Skills and rules-file scanning. SKILL.md files, agent hooks, .cursorrules, Copilot instructions, and CLAUDE.md files are scanned for injected LLM control tokens, invisible-Unicode instruction channels, download-and-execute one-liners, credential-harvesting patterns, and dangerous hook commands. We tuned this against false positives the hard way: our own repository is full of legitimate agent instructions and security documentation, and it scans clean.

A built-in MCP server. This is the part we find genuinely new. Run:

npm install -g supply-chain-guard
claude mcp add supply-chain-guard supply-chain-guard mcp

This form works in every shell, including PowerShell, and avoids npx cold-start timeouts on the first connect.

and your agent gains three tools: an offline IOC lookup covering npm, PyPI, RubyGems, Composer and NuGet, a directory scanner, and a remote npm package scanner. Which means the agent can check a package for malware before installing it, as a natural step in its own workflow.

There is a pleasing symmetry here. The scanner your agent calls is the same scanner that detects prompt injection aimed at the agent doing the calling.

A live threat feed. Our IOC feed previously shipped only with releases. It is now published on every push, and supply-chain-guard feed refresh pulls it into a local cache that every scan merges automatically for the next 24 hours. When a campaign breaks in the morning, protection lands the same day, not at the next version bump.

What this is not

supply-chain-guard does not do CVE lookups, and we are not going to pretend otherwise. For known vulnerabilities, pair it with Google's osv-scanner or plain npm audit; they are excellent at exactly that. We are the other axis: behavioral heuristics, campaign indicators, and now the agentic surfaces, running fully local, no account, no telemetry, Apache-2.0.

One CI job covers both axes:

- run: osv-scanner --lockfile=package-lock.json   # known CVEs and catalogued malware
- run: npx supply-chain-guard scan . --fail-on high   # behavior, campaigns, agentic surfaces

Built in the open

Everything above was built in public: 56 modules, over a thousand tests, every detection rule with positive and negative cases, and a policy engine that fails closed when you typo your own config. The repository self-scans on every release, which is how we keep catching our own false positives before you do (this release alone: our published IOC feed initially set off 169 alarms in our own scanner, which is exactly the kind of bug you want to find at home).

If you want to get involved, we seeded a set of scoped good-first-issues, from Open VSX support to CI recipes for your favorite pipeline. The code is at github.com/homeofe/supply-chain-guard and the package is one npx supply-chain-guard scan . away.

Your agent is already making supply-chain decisions. As of this release, it can make informed ones.