Skip to main content
Springvanta
All posts
AI Security & GovernanceJun 23, 2026 · 6 min read

The Agent Toolchain Is the New Software Supply Chain. Nobody Audits It.

Snyk scanned 10,000 dev environments: half run ungoverned MCP servers. Agentjacking hit a Fortune 100. DifyTap wiretapped AI chat. The supply chain gap is here.

By SpringVanta

Snyk scanned nearly 10,000 developer environments and found something that should worry anyone running AI coding agents in production: over half of developers have MCP servers installed, and 1 in 12 of those setups contains a high or critical security flaw. One environment had more than 80 MCP servers running at once, each one a live connection to code repositories, production systems, and internal tools, with no security controls in between.

This data landed on June 23, the same day Snyk announced Evo Agentic Development Security (ADS), a product built specifically to govern the agent toolchain. It also landed one day after two independent security disclosures that proved the risk is not theoretical: Tenet Security demonstrated an attack called "agentjacking" that compromised a Fortune 100 company's AI coding agents with a single fake error report, and Zafran disclosed four vulnerabilities in Dify, an AI application platform with 10 million Docker pulls, that let attackers wiretap AI chat histories.

Three things happened in 48 hours. Together they describe a single problem: the tools AI agents depend on have become a new software supply chain layer, and almost nobody is governing it.

What 10,000 environments actually look like

Snyk's anonymized telemetry covers approximately 9,700 developer environments. The numbers are stark:

  • 50.8% of developers have at least one MCP server installed
  • 43% run two or more AI coding environments simultaneously (Claude Code, Cursor, Copilot, Windsurf, Gemini, Codex)
  • 1 in 7 developers with MCP servers had at least one security finding. 1 in 12 had a high or critical finding
  • Snyk found 392 confirmed prompt injection vulnerabilities embedded in tool descriptions and 98 confirmed malicious code patterns in agent skill files, all in active environments
  • 22.8% of developers had at least one agent skill installed, averaging 18 skills each. Over 1 in 10 skills reference external dependencies or externally hosted instructions

The most instrumented environments had 80+ MCP servers running at the same time. Each MCP server is a bridge between the agent and an external system: code repositories, browsers, databases, issue trackers, design tools. Traditional AppSec was built to scan code after it is written. It has no visibility into what the agent connected to, what instructions it consumed, or what permissions it exercised before any code reached a repository or CI pipeline.

Manoj Nair, Snyk's Chief Technology and Innovation Officer, put it bluntly: "Ask a security leader for a complete inventory of the AI agents, MCP servers, and skills running across their developer machines. In most organizations, that inventory doesn't exist."

The attack that proved it works

On June 22, Tenet Security published research on "agentjacking," an attack class that takes over AI coding agents through a mechanism they are designed to trust: error reports.

The attack chain is simple. Every Sentry customer has a public credential (the DSN) embedded in their website's JavaScript. Anyone can find it. You use that credential to post a fake error report to Sentry's ingest endpoint, formatted to match Sentry's own MCP system template. The Sentry MCP server delivers the poisoned report to the AI coding agent. The agent opens it, reads the embedded malicious instructions, and executes them.

Tenet Security reported an 85% success rate across Claude Code, Codex, and Cursor, on Windows, macOS, AWS, and GCP. They scanned public Sentry APIs and found 2,388 organizations exposed. In direct testing, they successfully agentjacked agents at multiple Fortune 500 companies, including one Fortune 100 company worth approximately $250 billion that had all of its AI coding agents compromised by a single injection.

Telling the agent not to trust error reports had no effect. Sandboxing the agent didn't help. Sentry told the researchers the issue "technically" cannot be fixed at the root because it is how the system was designed to work. The only defense is middleware.

The stolen data includes AWS keys, GitHub tokens, Sentry auth tokens, git credentials, private repository URLs, and developer identities. All of it exfiltrated without leaving a trace that defensive tools can detect.

The same problem in AI platforms

Also on June 22, Dark Reading reported that researchers at Zafran discovered four vulnerabilities in Dify, an open-source AI application platform with over 10 million Docker pulls. They call the cluster "DifyTap."

The most severe, CVE-2026-41947 (CVSS 9.1), lets an attacker create a free Dify account, grab a public-facing application's internal ID, and register their own tracing backend. From that point forward, every message and response flowing through the application gets copied to the attacker's server. For a company running a customer-facing chatbot on Dify, that means every user prompt, AI response, and chat history is now readable by an outsider.

CVE-2026-41948 (CVSS 9.4) exposes Dify's internal Plugin Daemon API to unauthenticated requests. Zafran called this a fundamental architectural flaw: any new endpoint in the Plugin Daemon could become a high-severity vulnerability.

Tens of thousands of Dify instances face the public internet. Three of the four bugs are patched in Dify 1.14.2, but CVE-2026-41948 requires building from the latest GitHub source. Zafran recommends WAF rules for anyone still on 1.14.2.

DifyTap extends the supply chain problem beyond coding agents. Any platform that orchestrates AI applications, manages plugins, or connects agents to external tools has the same architectural exposure: it sits between users and sensitive data, it trusts its internal components, and it was built for functionality before security.

The market response: governance inside the loop

Snyk's Evo ADS, announced June 23 and entering general availability June 29, is built around three layers that map directly to the exposure the research revealed:

  1. Supply chain discovery: Inventories MCP servers, skills, and external tools across developer environments. Assesses each for prompt injection, malicious code patterns, and untrusted dependencies before the agent interacts with them.

  2. Runtime governance: Monitors agent behavior in real time and can block destructive actions before they execute. This is the middleware layer that agentjacking requires, operating inside the agent workflow rather than scanning code after the fact.

  3. Output validation: Scans AI-generated code at creation time, applying fixes before code reaches a repository or pipeline.

Brendan Putek, Director of DevOps at Relay Network, a Snyk design partner running Claude Code, Copilot, Codex, and Windsurf, described what prompted them to adopt the platform: "We're seeing supply chain attacks, malicious skills, and compromised MCP servers riding in on the agent's own toolchain, plus agents taking actions with no guardrails between intent and execution."

Snyk's ToxicSkills research reinforces the scope. Of 3,984 public agent skills analyzed from ClawHub and skills.sh, 13.4% contained at least one critical-level security issue. Nearly 91% of malicious skills combined prompt injection with malware, which lets them bypass both AI safety filters and traditional security scanners at the same time.

What buyers should do

The agentjacking attack, Snyk's environment scan, and the DifyTap bugs all point to the same structural gap. If your organization uses AI coding agents or AI application platforms, three actions are immediate:

Inventory your agent toolchain. Which AI coding environments are installed on developer machines? Which MCP servers? Which agent skills? Where did each component come from? Most organizations cannot answer these questions today. Snyk's data suggests the average environment has multiple ungoverned connections to production systems.

Treat MCP servers and skills as supply chain components. They shape code before it reaches a repository. They carry external instructions that influence agent behavior. They need the same governance applied to npm packages or container images: provenance verification, vulnerability scanning, and policy enforcement.

Evaluate runtime controls. Agentjacking proved that after-the-fact scanning is too late. The attack executes inside the agent's workflow. By the time code reaches a repository, the credentials are already gone. Controls need to operate at the moment of action, not downstream from it.

Tenet Security published an open-source mitigation called "agent-jackstop" for Claude Code and Cursor. It reduces risk but does not eliminate it. Sentry says the root cause cannot be fully remediated. Middleware inside the agent workflow, the approach Snyk is commercializing, is the only path currently identified.

The Fortune 100 company that lost its AI coding agents to one fake error report will not be the last. The attack surface is already deployed across thousands of organizations. Whether the governance layer arrives before the next agentjacking is the question every security team should be asking this week.

Continue reading

← Previous

AI Coding Tools Hit a Pivot Point in 72 Hours

Next →

Nobody Can Review AI Code Fast Enough. Three Products Shipped in 72 Hours.

Read more

Like this kind of writing?

One email when something good ships — usually once or twice a month.

SubscribeAll posts