
By Fredrik Lindstrom · ~9 minute read · June 2026
In May 2026, researchers at OX Security disclosed a flaw they called the mother of all AI supply chains. One design decision in the Model Context Protocol, the standard that connects AI agents to tools and data, propagated silently into implementations across Python, TypeScript, Java, and Rust. Ten CVEs. One root cause. Every downstream tool that inherited the code inherited the exposure.
Twenty years ago we learned this lesson in software. You cannot trust the contents of a package because the maintainer says you can. That lesson cost the industry billions and reshaped how regulated organizations buy, audit, and patch code. Software bill of materials. Signed packages. Vendor risk assessments. Approved software lists. None of it was inevitable. It was learned, slowly, after enough breaches to make the case undeniable.
AI just opened a new supply chain. The control framework for it does not exist yet.
What changed
Until recently, an AI tool was a closed product. You sent a prompt, it returned an answer. The risks were knowable: hallucinations, data leakage at the prompt, output bias. Most organizations now have an acceptable use policy telling employees not to paste customer data into a public chatbot.
In the last twelve months the model changed. AI tools now accept instructions from outside themselves. Skills, MCP servers, plugins, shared agent configurations are files that tell an AI how to behave, what to remember, which tools to call, and how to respond. They get imported into the working environment the way an npm package gets pulled into a codebase. Open repositories of them are growing fast. Some come from vendors. Most do not.
The most popular community AI agent repository on GitHub passed 31,000 stars this spring, with 185 agents and 153 skills, all maintained by one developer. LinkedIn posts offering “the complete agent OS, 235 skills, 500 sub-agents, comment for the link” are now a recurring growth tactic. In May, Anthropic launched Claude for Small Business with fifteen pre-built skills and connectors that let the AI act inside QuickBooks, PayPal, and HubSpot. The capability is real and useful. The supply chain underneath it is not visible to most boards.
This is no longer a forecast
When I drafted the first version of this argument, the risk was still mostly theoretical. Six weeks later it is documented.
Return to the OX Security disclosure. Their own framing is the part boards should sit with: one architectural decision, made once, propagated into every language and every downstream library. Anthropic declined to change the protocol, calling the behavior expected. Some downstream vendors patched. The exposure in the reference implementation remains, and developers who build on it inherit it.
In February, Check Point Research disclosed two vulnerabilities in Claude Code, Anthropic’s command-line coding tool (CVE-2025-59536, rated 8.7, and CVE-2026-21852). A malicious hook planted in a repository’s settings file ran shell commands the moment a developer opened the project, before the trust dialog appeared. A second flaw redirected the tool’s traffic to an attacker’s server and leaked the API key in plaintext. Clone a repo, open it, and the attacker had code execution and your credentials. Anthropic patched both. Check Point’s own conclusion is the line that matters: repository configuration files now function as part of the execution layer. What used to be passive metadata now runs.
The exposure is not contained to one vendor. SecurityScorecard’s research team scanned the internet and found 42,900 publicly accessible instances of one popular open-source agent runtime across 82 countries, with 93 percent of them running no authentication at all. A separate analysis of more than 7,000 MCP servers found over a third potentially open to server-side request forgery. In one proof of concept, researchers pulled AWS credentials out of a connected cloud instance through a single misconfigured server.
This is the supply chain. It is live, it is exposed, and most of it has never been audited by anyone with security responsibility.
Why existing controls miss it
The instinct is to assume current software supply chain controls cover this. They do not, for three reasons.
Instruction files are not code in the traditional sense. They are natural language. Static scanners do not read them. Dependency trackers do not catalog them. The toolchain looks past them.
The bill of materials is harder. A traditional SBOM tracks libraries. An AI tool layers instructions: the model’s training, the vendor’s system prompt, your policy prompt, an imported skill, an MCP server’s response, content pulled from the web mid-task. Every layer shapes behavior. Most organizations have no inventory past the first one.
The audit trail is thin. Most AI deployments log what the AI did. Fewer log what instructed it. When something breaks, the review reconstructs the output but rarely the input, and almost never the third-party instructions that were in scope at the time.
Underneath those three sit six mechanisms worth naming, because each one maps to a control a board already understands from software.
- Prompt injection. An instruction hidden in content the AI processes overrides what the user asked. The model cannot reliably separate its user’s instructions from instructions buried in a document it was told to read.
- Tool poisoning. The newest variant. The attack lives in the description of a tool, metadata the agent reads and the human never sees. OWASP ranked it the top agentic-skill risk this year.
- Data exfiltration. An imported skill asks the AI to summarize today’s work “for analytics.” The summary leaves. Nobody read the skill in full, so nobody noticed.
- Persona drift. An imported configuration reshapes the AI’s behavior for every task in the session, not just the one it was imported for. Quality shifts. The user blames model variance.
- Memory poisoning. An instruction tells the AI to remember something across sessions. It persists. Months later the AI is acting on information no one remembers authorizing.
- Agentic amplification. When the AI can send email, move files, or transfer money, a bad instruction stops being bad advice and becomes executable harm. The Check Point and OX Security findings are this category in the wild.
The confidence gap
Adoption is racing ahead of governance, and leadership does not see the distance.
Okta’s AI Agents at Work 2026 study, run across 292 executives and 492 knowledge workers in seven countries, found that more than half of organizations had an AI-related security incident or near miss in the past year. Executives stayed overwhelmingly confident in their ability to manage the risk. Fifty-two percent of knowledge workers admitted to using AI tools their organization never approved. Okta also found that 88 percent of organizations suspect or have confirmed an AI-agent security incident, while only 22 percent treat those agents as identity-bearing entities they can track and revoke.
The adoption number underneath all of this comes from Barclays. Their Q1 2026 Business Prosperity Index found 61 percent of UK businesses now using agentic AI and 68 percent planning to raise cybersecurity spending. Spending is climbing because the exposure is climbing. Both at once.
Read those together. Most organizations are deploying agents. Most have already had a scare. Most do not yet treat the agent as something to govern. That is the gap, measured.
The standards are starting to respond, unevenly. NIST AI RMF speaks to data and model provenance, but its language predates the skill-and-agent ecosystem. ISO 42001 covers AI management systems and third-party considerations without specifying controls for instruction-level imports. The EU AI Act governs high-risk deployments; the supply chain underneath them is not the focus of Articles 9 through 15. The first framework built specifically for this landed in April, when OWASP published its Agentic Skills Top 10. When OWASP names a category, the risk has matured enough to need shared vocabulary and structured mitigation. Malicious skills sit at the top of that list. That is the signal for boards: not that the problem is new, but that the security community now treats it as foundational.
Where to start
The starting framework is not different in shape from the one regulated organizations applied to software twenty years ago. The schedule is compressed.
Start with five questions. Who has authority to install AI skills, plugins, or MCP servers in our environment? If the answer is “anyone with a license,” that is a control failure regardless of intent. What is our inventory of those installations? If the security team cannot produce the list, the supply chain is unmonitored. What is our review process before an instruction file enters a high-privilege environment? “We read it” is not a process. Do we segregate AI deployments by privilege, so the AI that can read does not share an instruction set with the AI that can act? And where does AI memory live, and who is allowed to write to it?
Then build. Inventory every AI tool in production use, the skills and servers each one has imported, and who authorized them. Define an approval workflow, with agentic tools held to a higher tier than chatbots. Record provenance for every import: origin, author, last update, last audit. For most current imports the honest answer is “we don’t know.” Closing that is the work. Segregate by privilege the way your software architecture already does. And put cybersecurity, not innovation, in charge of the control framework. Innovation can run the deployment program. Security owns the standard. That debate was settled for cloud and DevSecOps a decade ago. AI is the same argument on a faster clock.
The verdict
The Promise and Risk needle leans toward Risk on this one, and the evidence moved it there. The capability is the most useful new layer of AI in the last year. But the control framework lags the capability by a wide margin, and the gap is no longer hypothetical. It has CVE numbers now.
Twenty years ago, boards delegated software supply chain risk to the technical team until breaches started landing in proxy statements. AI is following the same arc on a compressed timeline. The boards that start asking these questions now will not be the ones surprised when the answers show up in an audit. The ones who wait will inherit the answers, and the cost, together.
Disclosure: I work for Check Point Software in a services sales role. The Check Point Research findings cited above are the work of the company’s independent threat-intelligence team. I had no part in that research and reference it on the same terms as every other source in this piece.