Your AI Coding Agent Just Installed a RAT. It Had No Way to Know.
Agents can't know what they don't know to learn. Supply chain attacks blindside us, turning known-good patterns into brand new attack vectors. This is how agents keep up. This is how we fight back.
On March 30, 2026, a threat actor compromised the official Axios npm package — one of the most depended-upon libraries in the JavaScript ecosystem, with over 100 million weekly downloads. Two poisoned versions were published within a 39-minute window. Both the latest and legacy distribution tags were hijacked. A cross-platform Remote Access Trojan was deployed to every machine that ran npm install during the exposure window - Windows, macOS, and Linux.
Every AI coding agent in the world would have installed it without hesitation.
This wasn’t the first warning. In November 2025, CVE-2025-64756 exposed a command injection vulnerability in the glob package, another foundational Node.js dependency embedded in CI/CD pipelines across the ecosystem. An AI agent instructed to scan a directory using a vulnerable glob version would execute attacker-controlled commands without any indication that the action was unsafe. Between March 19 and March 27, 2026, the TeamPCP campaign compromised four more widely-used open-source projects in rapid succession: Trivy, KICS, LiteLLM, and Telnyx. The pattern is no longer emerging. It’s accelerating.
The gap between “routine action” and “compromised execution” isn’t closing. It’s widening, and AI agents are expanding the attack surface faster than the ecosystem can defend it.
That’s not a failure of the models. It’s a structural gap in how we’ve built the tooling around them.
The Problem Is Architectural
When an AI agent executes npm install axios, it’s performing a routine, correct, and expected action. There’s no signal in the command itself that distinguishes a clean install from a compromised one. The package name is correct. The version number follows semver conventions. The registry URL is legitimate.
The risk doesn’t live in the prompt. It doesn’t live in the model’s intent. It lives in the execution context — and no model, regardless of capability, has access to the information needed to evaluate it.
This is not a new class of problem. Supply chain attacks have been accelerating for years. What’s new is the multiplier: millions of AI-assisted coding sessions executing dependency installations, build scripts, and package resolutions with no runtime trust verification. The agent doesn’t check provenance. It doesn’t track maintainer continuity. It doesn’t validate build attestations. It can’t.
What Would Have Caught This
The Axios compromise produced at least six detectable signals before any developer or agent pulled the package:
Maintainer account change — the publishing email switched from a known address to an unverified one
Provenance break — SLSA build attestation was absent on the new versions, breaking a pattern established across all prior releases
Dependency injection — a new transitive dependency (
plain-crypto-js) appeared in a mature package that hadn’t added one in yearsVersion velocity anomaly — two versions across two branches published within 39 minutes
Staging artifact — the malicious dependency was pre-published 18 hours earlier to establish registry history
Postinstall hook — the injected package included an execution hook that fires during install
Any one of these signals, evaluated at the right layer, would have been sufficient to pause the action and escalate for review. Together, they’re overwhelming.
No model sees these. No prompt contains them. No amount of reasoning reconstructs them. These signals exist outside the agent’s field of view in registry metadata, build provenance records, and advisory databases that current AI tooling never consults before acting.
The Missing Layer: A Runtime Trust Oracle
What’s needed is not another vulnerability scanner. Scanners operate after the fact — they tell you what’s already in your dependency tree. The gap is at the point of action: the moment an agent (or a developer) decides to install, fetch, or import a package.
The only alternative is restriction, limiting what agents are allowed to do, reducing autonomy, reintroducing human gating at every step. That’s not scalable, and it defeats the purpose of agentic systems.
We built Hilt, a supply chain trust oracle designed to sit at that decision point. The architecture is straightforward:
A normalized trust registry that aggregates signals from public advisory sources (OSV.dev, GitHub Advisory Database, npm audit, PyPI safety-db, NVD) and enriches them with provenance analysis, maintainer continuity checks, and dependency graph anomaly detection. Every package-version pair gets a trust classification: trusted, untrusted, or unverified.
Three consumption modes:
A hashed daily snapshot — a downloadable file with a SHA-256 integrity manifest, consumable by air-gapped environments, CI/CD pipelines, and local agents without a live API call. Think DNS blocklists, but for packages.
An API and MCP server — real-time lookup for AI agents. Before an agent executes a dependency action, it queries Hilt. The response is a trust classification plus the signals that produced it. For agents operating within a governance framework like CRAG (Context-Removed Action Gating), this becomes an action gate: the install is permitted, warned, or blocked based on the package’s trust posture — independent of the agent’s intent or the user’s prompt.
A real-time terminal dashboard — for the humans. SOC analysts, DevSecOps leads, and security teams get a live feed of package publications across registries, with anomaly highlighting, watchlists for organizational dependencies, and alerting on trust score changes. Same data, same scoring, different interface.
The key design principle: the agent doesn’t need to understand supply chain security. It just needs a gate. The intelligence lives in the registry; the enforcement lives in the orchestration layer.
Why This Matters for AI Safety
This is a cybersecurity problem and an AI governance problem - and the two are converging.
The argument at the core of CRAG (Context-Removed Action Gating) is that safety enforcement must move from the classification layer to the action layer, operating on context-independent signals (provenance, integrity, trust scores) rather than context-dependent ones (intent, framing, prompt content). The command npm install axios is identical whether the package is safe or compromised. The action is the same. The context is invisible. The only meaningful distinction comes from external trust signals evaluated before execution.
Hilt is CRAG’s reference implementation for the supply chain domain. As AI agents gain the ability to install packages, deploy code, call APIs, and modify infrastructure at scale, the attack surface isn’t just growing linearly, it’s actually compounding. Every agent that executes dependency actions without a trust gate is an unmonitored entry point.
We don’t need smarter agents. We need agents that know when not to act.
What’s Next
The data pipeline, trust scoring engine, REST API, and MCP server are built. The real-time terminal dashboard is in active development. Initial scope covers npm and PyPI ecosystems, with additional registry support on the roadmap.
The free tier will include the daily snapshot and a rate-limited API, enough for individual developers and open-source projects to get coverage. The MCP server will be available as a community tool for any agent framework that speaks the protocol. Add Hilt to your Claude Code config and your agent queries trust scores before every install — no workflow changes, no new commands, just a gate that wasn’t there before.
We’ll publish technical details on the trust signal taxonomy and scoring methodology as the build progresses.
Whether you’re building AI agents that execute dependency actions or you’re responsible for securing CI/CD pipelines that AI agents touch, this is the layer that’s missing.
The future of AI safety isn’t just about what models say. It’s about what agents do. Let’s make sure they have the information they need before they act.
Hilt is a product of DigitalEgo. CRAG (Context-Removed Action Gating) is an open research framework for AI action-level governance, available on Zenodo. For updates or early access, visit trusthilt.com.
Mike Bumpus — DigitalEgo