Back to Intelligence

AI Coding Agent Supply Chain Attack: Detecting Malicious Repo Execution

SA
Security Arsenal Team
June 28, 2026
6 min read

The integration of Agentic AI into software development workflows has introduced a paradigm shift in productivity, but it has also opened a catastrophic new attack surface. Recent intelligence confirms that threat actors are now crafting "benign" GitHub repositories designed to exploit the autonomy of AI coding agents. Unlike traditional supply chain attacks that rely on malicious package uploads, this technique involves repositories that appear clean to static analysis and human reviewers but contain obfuscated instructions or "canary" logic that triggers malicious execution only when processed by an autonomous agent.

When an AI agent is tasked with cloning and setting up these repositories, it autonomously executes build scripts, makefiles, or installation commands. The attackers leverage this trust to execute arbitrary code on the developer's workstation or CI/CD environment—completely bypassing standard file-based security scanners. Defenders must immediately address this blind spot in their detection logic, as traditional file-integrity monitoring and static code analysis are insufficient against this dynamic execution vector.

Technical Analysis

This threat targets the "Autonomous Execution" layer of AI development tools. The attack vector does not rely on a specific vulnerability (CVE) but rather on the intended functionality of Agentic AI systems.

  • Affected Products/Platforms: AI-powered coding assistants and autonomous agents (e.g., GitHub Copilot Workspace, Cursor, Replit agent, or custom enterprise AI dev tools) running on Windows, Linux, and macOS environments.
  • Attack Mechanism: The repository appears clean. However, the package., Makefile, setup.py, or .git/config (in advanced cases) includes instructions that the AI agent interprets as a necessary setup step. This may involve:
    • Running npm install or pip install with preinstall scripts that fetch second-stage payloads.
    • Executing base64-encoded commands embedded in comments or documentation that the agent is prompted to "analyze and apply."
    • Downloading external resources from non-standard repositories.
  • Exploitation Status: Confirmed active exploitation in the wild. Attackers are distributing these repos via social engineering, forum posts, and "suggested solutions" in developer channels.
  • Why it evades scanners: The malicious payload is not present in the repo; it is generated or fetched at runtime by the agent, or the trigger logic is indistinguishable from a legitimate setup command to the agent. Static Analyzers (SAST) see valid code; Dynamic Analyzers (DAST) may not trigger if the execution logic is context-dependent.

Detection & Response

Since this threat manifests as the abuse of legitimate administrative tools (package managers) performing suspicious actions, detection requires behavioral correlation. We must hunt for standard development tools spawning unauthorized shells or network utilities.

SIGMA Rules

YAML
---
title: Suspicious Shell Spawn via Package Manager
id: a9b2c3d4-5678-90ef-ghij-klmnopqrstuv
status: experimental
description: Detects package managers (npm, pip, cargo) spawning shells (powershell, bash) or network tools (curl, wget), typical of malicious build scripts in repo attacks.
references:
  - https://attack.mitre.org/techniques/T1059/
  - https://attack.mitre.org/techniques/T1105/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.003
  - attack.t1059.004
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\npm.cmd'
      - '\npm.exe'
      - '\npx.cmd'
      - '\npx.exe'
      - '\python.exe'
      - '\pip.exe'
      - '\pip3.exe'
      - '\cargo.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\pwsh.exe'
      - '\curl.exe'
      - '\wget.exe'
  filter_legit:
    CommandLine|contains:
      - 'vite'
      - 'react-scripts'
      - 'next'
      - 'webpack'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate build scripts utilizing postinstall hooks for non-standard compilation (rare)
level: high
---
title: Linux Package Manager Spawning Network Shell
id: b1c2d3e4-5678-90fa-bcde-fghijklmnopq
status: experimental
description: Detects npm, pip, or make spawning bash/sh or curl/wget, indicative of a malicious repo setup script execution on Linux agents.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentProcessName|endswith:
      - 'npm'
      - 'npx'
      - 'python'
      - 'pip'
      - 'pip3'
      - 'make'
      - 'cargo'
    ParentImage|endswith:
      - '/npm'
      - '/python'
      - '/pip'
      - '/make'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/curl'
      - '/wget'
      - '/python' 
    CommandLine|contains:
      - 'http://'
      - 'https://'
      - 'exec'
      - 'eval'
  condition: selection
falsepositives:
  - Developers manually running scripts during debugging
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Agentic AI Suspicious Execution Chains
// Identifies build tools spawning unauthorized network or shell processes
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName in~ ("npm.exe", "npx.exe", "node.exe", "python.exe", "pip.exe", "make.exe", "cargo.exe", "bash", "sh")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "bash", "sh", "curl", "wget", "python")
| where ProcessCommandLine matches regex @"(iex|iwr|Invoke-WebRequest|curl.*http|wget.*http|exec\s*\(|eval\s*\()"
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious child processes of build tools
SELECT Pid, Ppid, Name, Username, CommandLine, Exe
FROM pslist()
WHERE Pid in (
    SELECT Ppid
    FROM pslist()
    WHERE Name =~ 'npm|npx|node|python|pip|cargo|make'
)
AND Name =~ 'powershell|cmd|bash|sh|curl|wget|python'
AND CommandLine =~ 'http|iex|invoke|eval|exec'

Remediation Script (PowerShell)

PowerShell
# Audit-AIAgentRepos.ps1
# Checks recent processes for suspicious AI Agent build chains

$SuspiciousParents = @('npm.exe', 'npx.exe', 'node.exe', 'python.exe', 'pip.exe', 'cargo.exe')
$SuspiciousChildren = @('powershell.exe', 'cmd.exe', 'curl.exe', 'wget.exe', 'pwsh.exe')
$SuspiciousKeywords = @('iex', 'iwr', 'Invoke-WebRequest', 'DownloadString', 'eval')

Write-Host "Scanning for Agentic AI process anomalies..." -ForegroundColor Cyan

$Events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} -ErrorAction SilentlyContinue |
    Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) }

if ($null -eq $Events) {
    Write-Host "No Sysmon events found. Ensure Sysmon is running." -ForegroundColor Red
    exit
}

foreach ($Event in $Events) {
    $Xml = [xml]$Event.ToXml()
    $ParentImage = $Xml.Event.EventData.Data | Where-Object { $_.Name -eq 'ParentImage' } | Select-Object -ExpandProperty '#text'
    $Image = $Xml.Event.EventData.Data | Where-Object { $_.Name -eq 'Image' } | Select-Object -ExpandProperty '#text'
    $CommandLine = $Xml.Event.EventData.Data | Where-Object { $_.Name -eq 'CommandLine' } | Select-Object -ExpandProperty '#text'
    
    $ParentName = Split-Path $ParentImage -Leaf
    $ProcessName = Split-Path $Image -Leaf

    if ($SuspiciousParents -contains $ParentName -and $SuspiciousChildren -contains $ProcessName) {
        foreach ($Keyword in $SuspiciousKeywords) {
            if ($CommandLine -like "*$Keyword*") {
                Write-Host "[ALERT] Suspicious chain detected: $ParentName -> $ProcessName" -ForegroundColor Red
                Write-Host "Command: $CommandLine" -ForegroundColor Yellow
            }
        }
    }
}
Write-Host "Scan complete." -ForegroundColor Green

Remediation

To mitigate the risk of AI coding agents introducing malware via malicious repositories:

  1. Containerization: Force all AI coding agents to operate within an ephemeral, isolated container (e.g., Docker, Firecracker). Do not allow agents to run directly on a developer's host OS or a shared CI runner with persistent credentials.
  2. Network Egress Controls: Implement strict firewall rules for environments where AI agents run. Block access to the public internet from the build environment unless strictly necessary (allow-listing specific package registries like registry.npmjs.org).
  3. Policy Controls: Configure AI tools to require "Approval" steps before executing install, build, or run commands, rather than running in full autonomous mode.
  4. Least Privilege: Ensure the service account or user context running the AI agent has no write access to critical system paths or credential stores (e.g., ~/.aws, ~/.ssh).
  5. Review and Audit: Regularly audit GitHub repository access logs and CI/CD build logs for the specific process chains identified in the detection rules above.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemai-securitysupply-chaindevsecops

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action