Your Agent Has a Supply Chain Problem

The TeamPCP campaign that hit LiteLLM didn't start there. It began five days earlier with Trivy, a widely-used security scanner from Aqua Security. Attackers hijacked GitHub Action tags to inject a credential stealer into CI/CD pipelines across thousands of repositories. From there, they spread to Checkmarx KICS, OpenVSX extensions, Docker Hub images, and eventually LiteLLM itself — likely using stolen PyPI credentials harvested from the Trivy breach.

The pattern is worth pausing on. This wasn't a single attack. It was supply chain hopscotching — compromise one tool, steal tokens, use those tokens to compromise the next tool, repeat. Each hop looked legitimate from the outside. Each package had real maintainers, real users, real trust.

On the npm side, the same campaign spawned CanisterWorm — a self-propagating worm that compromised 40 to 60 packages through stolen publish tokens. It used a decentralized command-and-control infrastructure built on Internet Computer Protocol canisters, making it harder to take down than traditional C2 servers.

The LiteLLM variant was particularly aggressive. Version 1.82.8 used a Python `.pth` file — a little-known mechanism that runs code automatically on interpreter startup, no import required. It targeted everything: SSH keys, AWS/GCP/Azure credentials, API keys, `.env` files, Git configs, npm tokens, crypto wallets, Kubernetes secrets, Docker configs, database passwords, even shell history. The malware included encryption (AES + RSA), exfiltration to attacker domains, and in some variants, lateral movement and persistence in Kubernetes clusters.

The saving grace? The attacker's own code had a bug — a fork bomb from recursive `.pth` execution that caused crashes, drawing attention within hours. The window was short. But for anyone who installed during that window, the damage was comprehensive.

Perhaps the most alarming development of 2026 has been the targeting of agent skill marketplaces — the emerging ecosystem where AI agents discover and install third-party capabilities.

Starting in late January, researchers began uncovering malicious skills on ClawHub, the third-party marketplace for OpenClaw. The scale was staggering. An initial audit of 2,857 skills found 341 malicious entries. By mid-February, the count had grown to over 1,184 malicious packages across 12 publisher accounts. A broader study by Snyk found that 36% of all ClawHub skills contained security flaws, with 1,467 confirmed malicious payloads.

The ClawHavoc campaign was the primary culprit. Attackers uploaded skills disguised as popular tools — crypto wallets, Polymarket trading bots, YouTube utilities, Google Workspace integrations. The skills looked professional. But their documentation included a "Prerequisites" section instructing users (or their agents) to install a fake CLI tool. That tool delivered Atomic Stealer (AMOS), a macOS infostealer targeting browser credentials, keychain passwords, crypto wallets, SSH keys, and API tokens.

What made this different from traditional malware distribution: the skills didn't just target humans. They were designed to manipulate AI agents as trusted intermediaries. The agent reads the skill documentation, sees the prerequisite, and either installs it automatically or presents it to the user as a routine setup step. As Trend Micro's research team put it, this was "social engineering on AI agents" — a shift from prompt injection to using the AI itself as a trusted relay.

Beyond ClawHavoc, researchers found skills embedding reverse shell backdoors in otherwise functional code, skills that stayed dormant until triggered by specific natural language prompts, and skills that quietly exfiltrated bot credentials to external servers.

Then came the Bob P2P attack — which introduced agent-to-agent social engineering. Fake agent personas were embedded in agent social networks, built credibility with legitimate-seeming skills first, then deployed malicious payloads through earned trust. The attack spread laterally through automated agent collaboration and shared workflows, with no further human interaction required.

SecurityWeek called it "a new attack class: traditional supply chain poisoning combined with social engineering campaigns that target algorithms, not humans." The playbook is infinitely repeatable and scalable.

The mitigation advice for individual incidents is well-documented (rotate credentials, pin versions, use lockfiles, scan dependencies). But the pattern across all of these incidents points to a structural gap that tooling alone won't close.

For builders and teams shipping agents today:

• Treat agent skills like third-party code, because they are. Every skill, plugin, or MCP server your agent connects to is an extension of your attack surface. Audit before install. Run unvalidated skills in sandboxed environments. Apply least-privilege by default.

• Never pass raw untrusted input to agents with tool access. The Cline attack and PromptPwnd both exploited the same pattern: user-generated content (issue titles, PR descriptions) flowing directly into LLM prompts with bash execution. Sanitize, structure, and constrain.

• Pin everything. Verify everything. Exact versions in lockfiles. OIDC provenance for package publishing. Signature verification where available. If your CI/CD pulls latest, you're one compromised tag away from a full breach.

• Monitor the agent's behavior, not just its inputs. Outbound connections to unknown domains, unusual package installations during builds, signing key usage outside patterns — these are the signals that catch supply chain attacks between install and exfiltration.

• Assume compromise happens. Plan for rotation. The LiteLLM window was hours. The ClawHavoc campaign ran for weeks. Your incident response plan should include "rotate every credential the agent could have accessed" as step one, not an afterthought.