agent-infra-security

# agent-infra-security

Security skills for AI coding agents. When your dependencies get compromised, these skills are the incident response playbook your agent follows.

![demo](assets/demo.gif)

## Three supply chain attacks in ten days

**March 19, 2026 — Trivy.** Attackers compromise 76 of 77 tags on `aquasecurity/trivy-action`. Every GitHub Actions workflow using a tag reference runs attacker-controlled code. CI secrets — cloud credentials, deploy keys, package registry tokens — are exfiltrated via dead-drop repos.

**March 23, 2026 — KICS.** Using credentials stolen from the Trivy attack, attackers pivot to Checkmarx KICS, overwriting 35 tags on `checkmarx/kics-github-action`. The cascade continues.

**March 24, 2026 — LiteLLM.** Credentials stolen from the KICS compromise are used to publish backdoored versions of LiteLLM on PyPI (1.82.7, 1.82.8). The malware drops a `.pth` file in `site-packages/` — Python executes it on every interpreter startup, before your code even imports. SSH keys, AWS credentials, `.env` files, everything is swept and exfiltrated. Most affected developers never directly installed LiteLLM — it was pulled in transitively by CrewAI, DSPy, and Browser-Use.

**March 31, 2026 — Axios.** The npm maintainer account `jasonsaayman` is compromised. Malicious versions `[email protected]` and `[email protected]` are published, injecting a typosquatted dependency `plain-crypto-js` that deploys platform-specific backdoors: a disguised binary on macOS (`/Library/Caches/com.apple.act.mond`), a renamed PowerShell on Windows (`wt.exe`), a Python script on Linux (`/tmp/ld.py`). The payload self-deletes its installer and swaps `package.json` to cover its tracks. Axios has 80 million weekly downloads.

**One compromised account cascaded across three ecosystems in ten days.** GitHub Actions → PyPI → npm. Each attack used credentials stolen from the previous one.

## Why agents need security skills

AI coding agents run `pip install`, `npm install`, and GitHub Actions