--- title: "The Poisoned Library" description: "When an AI agent trusts a tool server the way an app trusts a package, the supply chain attack surface moves with it. This is not a new problem wearing new clothes." url: "https://hoeijmakers.net/the-poisoned-library/" date: 2026-06-03 author: "Rob Hoeijmakers" site: "hoeijmakers.net" language: "en" tags: ["AI Governance"] --- # The Poisoned Library In early 2024, a developer named Jia Tan committed a small compression fix to XZ Utils, a library present on almost every Linux server in the world. The fix was legitimate. So were dozens of previous contributions, spread across two years of careful, patient participation in the project. The backdoor came later, buried in a build script, designed to silently compromise SSH authentication. It was caught almost by accident, by an engineer who noticed his login was taking a few milliseconds longer than expected. The XZ incident is not a story about a clever attack. It is a story about what happens when trust is structural and invisible. ## The Supply Chain Problem Software runs on software. Every application you deploy is a stack of dependencies: packages, libraries, modules, each written by someone you have likely never heard of, each trusted implicitly because it was published to a registry and downloaded enough times to seem legitimate. This is how modern software works. It is also how it fails. Supply chain attacks exploit that implicit trust. The attacker does not break into your system directly. They become part of the infrastructure your system depends on. A typosquatted package name on PyPI. A compromised npm maintainer account. A years-long social engineering campaign on an open source project. The payload arrives as a dependency update, signed and versioned and entirely unremarkable. This attack surface has been growing for years. What is new is where it is heading. ## The Agent Layer An AI agent does not run on a library. It runs on tools. When I connect Claude to my calendar, my files, my search index, those connections are mediated by servers that describe their own capabilities and respond to the model's requests. The Model Context Protocol, or MCP, is one architectural approach to this: a standard for how agents discover what they can do, and how tool servers register and coordinate. The parallelism with package managers is uncomfortable and exact. An agent that trusts an MCP server is in a structurally similar position to an application that trusts an npm package. If that server is compromised, or malicious from the start, it does not just leak data. It has privileged access to the agent's reasoning and actions. It can inject instructions. It can redirect tool calls. It can quietly reshape what the agent believes it is doing. Prompt injection through a tool response is one version of this. A malicious server could return content that includes embedded instructions to the model, exploiting the fact that the agent cannot reliably distinguish between data and commands. This is not theoretical. Security researchers have demonstrated it repeatedly in the past year. The harder version is what you might call an identity attack: a server that presents itself as something trusted, behaves normally most of the time, and activates specific behavior under specific conditions. Not unlike a build script that only runs its payload on certain architectures, during certain hours. While this article was being written: On June 3, 2026, OpenAI sent a security notification to users of its macOS apps. A widely used open-source npm library, TanStack, had been compromised. Not the apps themselves, but the build process surrounding them — precisely the link this article is about. OpenAI was forced to rotate code signing material for ChatGPT Desktop, Codex, Atlas, and the Codex CLI: the cryptographic signature that allows users to verify an app is genuinely from OpenAI. ## What This Reveals [The delegation problem of the internet](https://hoeijmakers.net/the-delegation-problem-of-the-internet/) is already a real constraint on what agents can do. Identity, authentication, and accountability are points of friction that slow down automation. But friction also provides a kind of protection. When an agent has to authenticate to act, there is a moment of legibility. A log entry. A confirmation. As agentic systems acquire broader permissions and more capable tool access, the question of what they trust, and on what basis, becomes structural. The answer cannot be "whatever is installed," any more than it can be "whatever is in node_modules." [Agents and Agency](https://hoeijmakers.net/agents-and-agency/) made the point that the real challenge is finding the right balance of delegation, control, and trust. That observation was made with autonomous AI systems in mind. Supply chain dynamics make it harder. The question is no longer just whether to delegate, but whether the thing you are delegating through is what it claims to be. ## The Governance Gap Regulators are not yet here. The EU AI Act classifies systems by risk and mandates transparency, but its model is primarily about the AI system itself, not the infrastructure it depends on. [ISO 42001](https://hoeijmakers.net/iso-42001-ai-governance/) addresses management systems around AI, which is closer, but still upstream of the specific attack surface that agentic tool ecosystems present. The Cyber Resilience Act, which covers software components, is the most applicable instrument. But it was designed for a world of packages, not a world of live tool servers that describe their own capabilities to autonomous agents at runtime. In the meantime, the XZ lesson applies: the most dangerous dependencies are not the ones you know are risky. They are the ones that have earned enough trust to stop being examined. XZ Utils is a data compression library used in most Linux distributions. The 2024 backdoor, introduced through patient long-term contribution, was discovered by Andres Freund at Microsoft and described as one of the most sophisticated supply chain attacks ever found in open source infrastructure.