Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Agentic AI as a Cybersecurity Attack Surface: Threats, Exploits, and Defenses in Runtime Supply Chains

Xiaochong Jiang, Shiqi Yang, Wenting Yang, Yichen Liu, Cheng Ji

TL;DR

This work identifies the Viral Agent Loop, in which agents act as vectors for self-propagating generative worms without exploiting code-level flaws, and advocates a Zero-Trust Runtime Architecture that treats context as untrusted control flow and constrains tool execution through cryptographic provenance rather than semantic inference.

Abstract

Agentic systems built on large language models (LLMs) extend beyond text generation to autonomously retrieve information and invoke tools. This runtime execution model shifts the attack surface from build-time artifacts to inference-time dependencies, exposing agents to manipulation through untrusted data and probabilistic capability resolution. While prior work has focused on model-level vulnerabilities, security risks emerging from cyclic and interdependent runtime behavior remain fragmented. We systematize these risks within a unified runtime framework, categorizing threats into data supply chain attacks (transient context injection and persistent memory poisoning) and tool supply chain attacks (discovery, implementation, and invocation). We further identify the Viral Agent Loop, in which agents act as vectors for self-propagating generative worms without exploiting code-level flaws. Finally, we advocate a Zero-Trust Runtime Architecture that treats context as untrusted control flow and constrains tool execution through cryptographic provenance rather than semantic inference.

Agentic AI as a Cybersecurity Attack Surface: Threats, Exploits, and Defenses in Runtime Supply Chains

TL;DR

This work identifies the Viral Agent Loop, in which agents act as vectors for self-propagating generative worms without exploiting code-level flaws, and advocates a Zero-Trust Runtime Architecture that treats context as untrusted control flow and constrains tool execution through cryptographic provenance rather than semantic inference.

Abstract

Agentic systems built on large language models (LLMs) extend beyond text generation to autonomously retrieve information and invoke tools. This runtime execution model shifts the attack surface from build-time artifacts to inference-time dependencies, exposing agents to manipulation through untrusted data and probabilistic capability resolution. While prior work has focused on model-level vulnerabilities, security risks emerging from cyclic and interdependent runtime behavior remain fragmented. We systematize these risks within a unified runtime framework, categorizing threats into data supply chain attacks (transient context injection and persistent memory poisoning) and tool supply chain attacks (discovery, implementation, and invocation). We further identify the Viral Agent Loop, in which agents act as vectors for self-propagating generative worms without exploiting code-level flaws. Finally, we advocate a Zero-Trust Runtime Architecture that treats context as untrusted control flow and constrains tool execution through cryptographic provenance rather than semantic inference.
Paper Structure (37 sections, 5 equations, 3 figures, 2 tables)

This paper contains 37 sections, 5 equations, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background and Threat Assumptions
  3. Static vs. Dynamic Supply Chains
  4. Threat Assumptions and Adversarial Setting
  5. Adversary Capabilities
  6. Adversary Goals
  7. The Data Supply Chain
  8. Within-Session Manipulation
  9. Across-Session Manipulation
  10. The Tool Supply Chain
  11. Tool Abstraction and Security Invariants.
  12. Pipeline Decomposition.
  13. Phase I: Attacks on Discovery (Intent $\rightarrow$ Tool_ID)
  14. Phase II: Attacks on Implementation (Load Tool_ID $\rightarrow$ Runtime Code)
  15. Phase III: Attacks on the Invocation Boundary
  16. ...and 22 more sections

Figures (3)

  • Figure 1: The Agentic Runtime Supply Loop and associated attack surfaces. The Man-in-the-Environment (MitE) adversary targets two dynamic dependencies: (1) The Data Supply Chain (Left): Adversaries inject malicious content into the Context Window, Memory Bank, or External Databases, altering agent perception. (2) The Tool Supply Chain (Right): Adversaries subvert capability resolution across Phase I (Discovery), Phase II (Implementation), and Phase III (Invocation). Crucially, the loop closes: poisoned perception triggers unauthorized tool actions, while tool outputs re-enter the environment as tainted context, enabling persistent compromise and viral-style propagation.
  • Figure 2: Taxonomy of Data Supply Chain Manipulation categorized by memory persistence. Within-session attacks target transient contextual memory, while across-session attacks persist via external/long-term memory.
  • Figure 3: Compact threat taxonomy for the Tool Supply Chain. Phases progress vertically (Discovery $\rightarrow$ Implementation $\rightarrow$ Invocation), and each phase fans out into representative attack vectors.