attack 2026

Supply-Chain Poisoning Attacks Against LLM Coding Agent Skill Ecosystems

Yubin Qu 1, Yi Liu 2,3,4, Tongcheng Geng 1, Gelei Deng 3, Yuekang Li 5, Leo Yu Zhang 1, Ying Zhang 6, Lei Ma 7,8

1 Griffith University

2 Quantstamp

3 Nanyang Technological University

4 The State Information Center

5 University of New South Wales

6 Wake Forest University

7 The University of Tokyo

8 University of Alberta

0 citations
α

Published on arXiv

2604.03081

AI Supply Chain Attacks

OWASP ML Top 10 — ML06

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Achieves 11.6% to 33.5% bypass rates across four frameworks and five models, while explicit instruction attacks achieve 0% under strong defenses; 2.5% evade both static detection and alignment

DDIPE

Novel technique introduced

LLM-based coding agents extend their capabilities via third-party agent skills distributed through open marketplaces without mandatory security review. Unlike traditional packages, these skills are executed as operational directives with system-level privileges, so a single malicious skill can compromise the host. Prior work has not examined whether supply-chain attacks can directly hijack an agent's action space, such as file writes, shell commands, and network requests, despite existing safeguards. We introduce Document-Driven Implicit Payload Execution (DDIPE), which embeds malicious logic in code examples and configuration templates within skill documentation. Because agents reuse these examples during normal tasks, the payload executes without explicit prompts. Using an LLM-driven pipeline, we generate 1,070 adversarial skills from 81 seeds across 15 MITRE ATTACK categories. Across four frameworks and five models, DDIPE achieves 11.6% to 33.5% bypass rates, while explicit instruction attacks achieve 0% under strong defenses. Static analysis detects most cases, but 2.5% evade both detection and alignment. Responsible disclosure led to four confirmed vulnerabilities and two fixes.

Key Contributions

  • Document-Driven Implicit Payload Execution (DDIPE) attack embedding malicious logic in skill documentation code examples
  • LLM-driven pipeline generating 1,070 adversarial skills across 15 MITRE ATT&CK categories
  • Empirical evaluation showing 11.6-33.5% bypass rates across four frameworks and five models, with 2.5% evading both static analysis and alignment

🛡️ Threat Analysis

AI Supply Chain Attacks

Trojanizes third-party agent skills distributed through open marketplaces without security review — classic supply chain compromise targeting the LLM agent ecosystem infrastructure.

Details

Domains
nlp
Model Types
llm
Threat Tags
black_boxinference_timetargeted
Applications
llm coding agentsagent skill marketplaces
Read PDF arXiv

Similar Papers

attack

Takedown: How It's Done in Modern Coding Agent Exploits

2025 3 cit.
81%
attack

Web Fraud Attacks Against LLM-Driven Multi-Agent Systems

2025 0 cit.
76%
attack

ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore

2026 0 cit.
75%
attack

Servant, Stalker, Predator: How An Honest, Helpful, And Harmless (3H) Agent Unlocks Adversarial Skills

2025 0 cit.
75%
survey

Systematization of Knowledge: Security and Safety in the Model Context Protocol Ecosystem

2025 8 cit.
AI Supply Chain Attacks
75%
attack

FuncPoison: Poisoning Function Library to Hijack Multi-agent Autonomous Driving Systems

2025 1 cit.
AI Supply Chain Attacks
72%
benchmark

MalTool: Malicious Tool Attacks on LLM Agents

2026 0 cit.
AI Supply Chain Attacks
71%
benchmark

LPS-Bench: Benchmarking Safety Awareness of Computer-Use Agents in Long-Horizon Planning under Benign and Adversarial Scenarios

2026 1 cit.
65%