TL;DR: AgentMesh is joining VirusTotal's Crowdsourced AI program to add behavioural analysis for MCP servers, AI skills and VS Code extensions, surfacing prompt injection, typosquatting, unexpected network behaviour and secret exfiltration patterns in the agentic software supply chain, according to Knostic. The signal is clear: agent tooling now needs supply-chain-style inspection because traditional signature-based controls are too slow for fast-moving AI components.
NHIMG editorial — based on content published by Knostic: A threat intel feel for agentic AI. Get AgentMesh today
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
Questions worth separating out
Q: How should security teams govern AI agent toolchains that include MCP servers and IDE extensions?
A: Security teams should treat every MCP server and IDE extension as a governed access path, not a convenience layer.
Q: Why do compromised AI agent tools create NHI risk?
A: Compromised agent tools create NHI risk because they can redirect delegated access without needing to steal the primary agent account.
Q: What should teams look for when assessing AI agent supply chain risk?
A: Teams should look for typosquatting, unexpected network behaviour, secret exfiltration patterns, and unusual response shaping.
Practitioner guidance
- Inventory agent tool dependencies Catalog every MCP server, IDE extension, skill, and plugin used by AI assistants, then assign an owner, business purpose, and review date for each dependency.
- Inspect behaviour, not just packages Add behavioural analysis for tool metadata, response shaping, outbound connections, and secret access attempts so suspicious components can be identified even when they appear legitimate.
- Bind agent tools to least privilege Limit the data sources, commands, and network paths available to each agent tool, and revoke broad access by default when the component does not need it for a defined task.
What's in the full article
Knostic's full blog post covers the operational detail this post intentionally leaves for the source:
- How AgentMesh classifies MCP servers and VS Code extensions as benign, suspicious, or malicious
- The behavioural signals used to detect prompt injection and secret exfiltration patterns in tool content
- The specific agentic supply chain cases Knostic says it has been tracking across 2026
- How VirusTotal's Crowdsourced AI program is intended to surface agent-layer verdicts in analyst workflows
👉 Read Knostic's analysis of AI agent supply chain threats and AgentMesh →
Agentic AI supply chain threats: what security teams need to watch?
Explore further
Agentic supply chain risk is becoming an identity problem, not just a software integrity problem. When an AI agent consumes a tool, server, or extension, it is inheriting that component's trust into an execution pathway. That makes the component ecosystem part of the non-human identity governance surface, because delegated access can be redirected without changing the primary agent account. Practitioners should treat agent tooling as governed identity infrastructure, not optional add-ons.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: Who is accountable when an AI agent extension causes data exposure or secret leakage?
A: Accountability should sit with the team that approved, deployed, and monitored the component, not with the agent itself. Governance must define who owns component review, who can approve elevated access, and who responds when a tool changes behaviour. Without that assignment, incident response becomes fragmented and remediation slows.
👉 Read our full editorial: Agentic AI supply chain threats are moving into security workflows