agent-infra-security

agent-infra-security

Security skills for AI coding agents. When your dependencies get compromised, these skills are the incident response playbook your agent follows.

Three supply chain attacks in ten days

March 19, 2026 — Trivy. Attackers compromise 76 of 77 tags on aquasecurity/trivy-action. Every GitHub Actions workflow using a tag reference runs attacker-controlled code. CI secrets — cloud credentials, deploy keys, package registry tokens — are exfiltrated via dead-drop repos.

March 23, 2026 — KICS. Using credentials stolen from the Trivy attack, attackers pivot to Checkmarx KICS, overwriting 35 tags on checkmarx/kics-github-action. The cascade continues.

March 24, 2026 — LiteLLM. Credentials stolen from the KICS compromise are used to publish backdoored versions of LiteLLM on PyPI (1.82.7, 1.82.8). The malware drops a .pth file in site-packages/ — Python executes it on every interpreter startup, before your code even imports. SSH keys, AWS credentials, .env files, everything is swept and exfiltrated. Most affected developers never directly installed LiteLLM — it was pulled in transitively by CrewAI, DSPy, and Browser-Use.

March 31, 2026 — Axios. The npm maintainer account jasonsaayman is compromised. Malicious versions [email protected] and [email protected] are published, injecting a typosquatted dependency plain-crypto-js that deploys platform-specific backdoors: a disguised binary on macOS (/Library/Caches/com.apple.act.mond), a renamed PowerShell on Windows (wt.exe), a Python script on Linux (/tmp/ld.py). The payload self-deletes its installer and swaps package.json to cover its tracks. Axios has 80 million weekly downloads.

One compromised account cascaded across three ecosystems in ten days. GitHub Actions → PyPI → npm. Each attack used credentials stolen from the previous one.

Why agents need security skills

AI coding agents run pip install, npm install, and GitHub Actions workflows on your behalf. They pull dependencies, build containers, and deploy code. When a supply chain attack hits, the agent that installed the compromised package is also the fastest path to triage:

• It already knows your dependency tree
• It can search lockfiles, caches, and environments faster than you can type commands
• It can walk through a structured incident response instead of you grepping StackOverflow at 2am

But agents don't know incident response by default. These skills teach them.

What's in this repo

Six skills organized in layers:

Ecosystem-specific incident response

npm-supply-chain-response — Deep triage for compromised npm packages. Built around the Axios attack: typosquatted dependency injection, multi-platform backdoors, anti-forensics (self-deleting setup.js, package.md swap). Six-phase workflow with three output modes (interactive checklist, runbook, automated script).

pypi-supply-chain-response — Deep triage for compromised PyPI packages. Built around the LiteLLM attack: .pth startup hooks, transitive dependency exposure via pipdeptree -r, credential harvesting. Cross-platform manual playbook (Windows PowerShell, macOS, Linux).

github-actions-supply-chain-response — Incident response for tag overwriting attacks. Built around the Trivy → KICS cascade: org-wide workflow scanning, run window confirmation, IOC hunting in CI logs, dead-drop repo detection.

Credential lifecycle

credential-exfiltration-response — Full detection-to-rotation lifecycle. All ecosystem skills hand off here. Covers 13 credential classes (SSH, AWS with STS session invalidation, GCP, Azure, GitHub, npm, PyPI, Docker, Kubernetes, databases, .env secrets, CI/CD secrets, crypto wallets). Includes audit trail queries for every major cloud provider.

Generic fallback

supply-chain-security-check — Multi-ecosystem fallback for Go, Rust, Ruby, Java, .NET, Docker, and incidents that span multiple ecosystems. Routes to ecosystem-specific skills when available.

Proactive hardening

supply-chain-best-practices — Nine-category dependency audit: version pinning, lockfile integrity, install hooks, vulnerability scanning, provenance verification, CI secret scoping, SBOM generation, update strategy, package manager hardening. Produces a PASS/WARN/FAIL checklist. Use this before an incident, not during one.

Install

Add the marketplace in Claude Code:

/plugin marketplace add makash/agent-infra-security

Install the plugin:

/plugin install agent-infra-security@agent-infra-security

Reload plugins:

/reload-plugins

If you're outside Claude Code, prefix with claude: