AI Agent Threat Matrix
Matrix/Impact/T-9006
T-9006observed

Supply Chain Compromise

Compromise upstream dependencies, plugins, or MCP servers to affect all downstream agents

Tactic

Impact (Stage 9)

Modify data, deploy malicious code, or disrupt services

Attack Class

ORG-SKILL-SPREAD

Propagating malicious capabilities across an organization's agent fleet through shared skills and registries

Evidence

observed

Confirmed in real-world production systems or internet-wide exposure assessments.

DVAA Validation

mcp-rug-pull

Detection (HackMyAgent)

SUPPLY-001SUPPLY-002SUPPLY-003SUPPLY-004DEP-001DEP-002DEP-003DEP-004
npx hackmyagent secure --ci

Defense (OASB Controls)

OASB 6.1OASB 6.2OASB 6.3OASB 6.4OASB 6.5OASB 11.1OASB 11.2OASB 11.3OASB 11.4

How to Cite

AI Agent Threat Matrix T-9006 (Supply Chain Compromise). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-9006
← Back to Matrix