How AI Coding Agents Unwittingly Spread Supply Chain Threats

In early 2025, Microsoft disabled 73 GitHub repositories—including the widely used Azure Functions Action—after discovering a supply chain attack that didn’t target developers directly. Instead, it weaponized the AI coding agents embedded in automated CI/CD workflows, turning them into unwitting carriers of malicious code.

This incident, dubbed the Miasma worm, marks a turning point in software supply chain security. Unlike traditional attacks that rely on phishing or leaked secrets, the Miasma worm exploits a fundamental design flaw in agentic development environments: AI assistants blindly trust the data they receive, even when that data has been deliberately poisoned. The result is a self-propagating chain reaction where a single compromised input can cascade through hundreds of repositories, with no human ever noticing.

For teams relying on AI-driven automation, this attack underscores a critical question: What happens when the tools meant to accelerate development become the entry point for sabotage?

The Anatomy of an Agentic Supply Chain Attack

The Miasma worm didn’t exploit a software bug or a misconfigured secret. It weaponized the trust that AI coding agents place in their inputs. In modern CI/CD pipelines, these agents operate as autonomous entities, reading files, executing commands, and committing changes based on the data they consume. When an agent processes a poisoned tool result—whether a tampered README, a hijacked workflow file, or a malicious MCP server response—it treats that input as legitimate and acts accordingly.

Here’s how the attack unfolded:

• A malicious payload was injected into a repository’s file or workflow, targeting an AI agent’s expected input format.
• The agent, operating under the assumption that all tool results are trustworthy, processed the payload without scrutiny.
• The agent then executed actions based on the poisoned data—such as modifying CI workflows, committing code, or triggering downstream builds.
• Each infected repository became a new source of poisoned inputs, spreading the worm to any agent with write access.
• The cycle repeated autonomously, with no human intervention required at any stage.

The worm’s self-replicating nature turned every compromised repository into a potential launching pad for further attacks. Unlike traditional malware, the Miasma worm didn’t need to exploit a vulnerability—it exploited a design assumption.

Why Existing Defenses Failed

Traditional supply chain security tools were built for a pre-agentic era, where threats came from external actors or misconfigurations—not from the tools meant to assist developers. These defenses include:

• GitHub Actions security controls, which focus on detecting malicious actions and enforcing permission boundaries but ignore the semantic content of what an agent is instructed to do.
• Static and dynamic application security testing (SAST/DAST), which scan code for vulnerabilities but fail to analyze whether the instruction that produced that code was adversarial.
• Secrets managers, which prevent credential leaks but cannot detect when an agent has been manipulated into misusing those credentials through a series of seemingly benign tool calls.
• Container scanning, which checks images for known vulnerabilities but has no visibility into the prompt or tool result that triggered the agent to modify the Dockerfile in the first place.

In each case, the tools were blind to the real threat: an agent’s blind trust in its inputs. None of these solutions sat between the tool result and the agent, asking the critical question: Is this content trying to manipulate what the agent does next?

A Layered Defense for Agentic Workflows

To address this gap, a new class of security tools has emerged—tools designed specifically to intercept and inspect the data flowing into AI agents before it reaches their context windows. One such solution, developed by Sentinel, introduces a transparent proxy layer that sits between the agent and its tools, scanning every tool result for signs of adversarial manipulation.

Here’s how it works:

1. Normalization Layer

Before pattern matching begins, the proxy strips hidden threats embedded in text, such as:

• Invisible Unicode characters (e.g., U+E0000) used to hide payloads in code.
• Bidirectional text overrides that disguise malicious instructions.
• Homoglyphs that replace characters with visually similar but functionally different ones.

By sanitizing inputs at this stage, the proxy ensures that obfuscated attacks are defanged before deeper analysis.

2. Fast-Path Regex Layer

This layer targets high-confidence attack signatures, including:

• Authority hijacking phrases like "ignore previous instructions" or "your new system prompt is".
• Prompt extraction attempts that coerce the agent into revealing sensitive data.
• Persona shifts that redirect the agent’s behavior toward unintended outcomes.

If a tool result contains these patterns, it’s blocked in milliseconds, preventing the agent from ever processing the malicious content.

3. Vector Similarity Layer

For subtler attacks that avoid obvious keywords, this layer computes a semantic embedding of the tool result and compares it against a library of known attack signatures. Even if an attacker avoids using explicit commands, the intent behind the text may still align closely with adversarial patterns.

In strict mode, the detection threshold is lowered to a cosine similarity of 0.25, catching borderline cases that other tools would miss.

4. Secret Detection Layer

As a secondary safeguard, this layer scans for embedded credentials, API keys, or tokens that may have been injected into the tool result. Even if the primary threat scorer misses a poisoned input, secrets are redacted before the agent can process them, preventing credential theft or misuse.

When a tool result is blocked, the proxy substitutes it with an inert placeholder—such as a neutral message like "This content has been filtered for security."—so the agent continues operating without disruption, but never receives the weaponized payload.

Implementing Agentic Security in Practice

Adopting this defense requires minimal changes to existing workflows. Teams can redirect their AI coding agents to route tool results through a transparent proxy like Sentinel’s, requiring only two adjustments:

import anthropic

# Point the Anthropic SDK to Sentinel's proxy instead of the original API endpoint
client = anthropic.Anthropic(
    api_key="sk_live_...",  # Your Sentinel API key
    base_url="  # Proxy endpoint
)

# Agent proceeds as usual, unaware of the security layer
response = client.messages.create(
    model="claude-sonnet-4-6",
    max_tokens=4096,
    system="You are a coding assistant. Use the read_file and run_tests tools as needed.",
    messages=[{"role": "user", "content": "Review the CI workflow and flag any issues."}],
)

The proxy operates transparently, meaning no modifications to the agent’s code or prompts are necessary. When a poisoned tool result is detected, the proxy logs the threat internally while ensuring the agent remains unaffected. The output resembles:

{
  "request_id": "f7e3a1...",
  "security": {
    "action_taken": "blocked",
    "threat_score": 0.89,
    "matched_patterns": ["authority_hijack", "tool_abuse"],
    "secret_hits": 0,
    "secret_types": []
  },
  "safe_payload": null
}

This approach shifts supply chain security from reactive to proactive, addressing threats at the moment they enter the agent’s workflow rather than after they’ve already propagated.

The Future of Agentic Security

The Miasma worm’s attack surface—AI coding agents operating within CI/CD pipelines—isn’t going away. As AI becomes more deeply integrated into software development, the risks of agentic supply chain attacks will only grow. The good news is that solutions like transparent proxies and agentic threat detection layers are emerging to fill the gaps in existing defenses.

For organizations still relying on AI-driven automation, the key takeaway is clear: Trust is the new attack surface. The tools that accelerate development must also be the tools that protect it. By embedding security directly into the data pipeline, teams can ensure that their AI agents remain allies—not unwitting accomplices—in the fight against supply chain threats.