☣️

Don't Let AI Poison Your Supply Chain

Make it safe to use

Devina Mauria-Dhawan · dublin.devinadhawan.com

Agenda

1
Why this matters now
Supply-chain attacks now recruit the AI on the box
2
What actually changed
Same systems, different actors, bigger population
3
Guidance and control
Make safe paths easy and unsafe paths painful
4
The four funnel points
Proxy, gateway, identity, and audit visibility
5
What to do Monday
Crawl, walk, run: context file → proxy waist → package proxies + denylist
6
Close
Design like agents are users

Agents move faster than the speed of cloud

A poisoned dependency can now recruit the AI tooling already installed on a developer laptop and turn it into part of the attack chain.
August 2025
Compromised nx package shipped to npm
AI CLIs complied
Claude and Gemini CLIs were told to search for secrets and wallets
~1,000
Developers reportedly impacted before npm yanked the package

Why that story matters

📦

Supply-chain compromise

The first stage looked ordinary: a package in the dependency ecosystem was the delivery vehicle.

🤖

Agent amplification

The novel step was instructing local AI tools to widen the blast radius using developer context and permissions.

🧨

Account-side exposure

Secrets ended up published through the victim's own accounts, making the victim look like the actor.

Who I am

Devina Mauria-Dhawan headshot
🛡️

Role

Devina Mauria-Dhawan, Staff AI Security Engineer at Shopify.

🔬

Problem space

How do you let thousands of people run AI agents on laptops without getting owned?

🧭

Talk promise

A practical playbook, plus the potholes to avoid when adoption outruns control design. Crawl with a security context file, walk with a single proxy waist, run with package proxies and denylisting.

AI is just another abstraction — diagram showing human calculation, calculator, computer, programming languages, applications and APIs, and AI / natural language as successive abstraction layers

AI didn't change the landscape

The core path is unchanged: people create code locally, it ends up in the cloud or data center, and customers hit it there. The system is familiar. The population touching it is not.

The problem stays. The population explodes.

Congratulations, you just doubled your customer size.

The aim

  • 🪪  Who is the agent
  • 👤  Who is using it
  • 🛠️  What is it doing
  • 🌐  Where is it doing it
  • ⏱️  When & how fast
  • 🛑  How to pit-stop — drop the session in under a minute

What's different: who codes

Old mental model

"Developer" meant a person inside the engineering org with onboarding, policy awareness, and institutional context.

New reality

Now anyone who writes code or prompts effectively becomes part of the developer population, including non-engineers pushing real changes toward production.

That includes people who may not fully understand local command impact, secret handling, or what destructive commands actually do on their machines.
Terminal prompt showing $ rm rf ~ (missing dash)
Terminal prompt showing $ rm -rf ~

What's different: what they code with

⌨️

Before

IDE wars: Vim, Emacs, IntelliJ, VS Code.

🧠

Now

Claude, Cursor, Codex, Copilot, and the latest agent someone installed last Tuesday.

Implication

The tool itself now takes actions, not just suggestions, so its permissions and defaults matter as much as its output quality.

Diagram showing an AI agent's connections to models, APIs, tools, MCP servers, and third-party services like GitHub, Slack, and Google Drive

What's different: where code comes from

Internet-native sourcing

Experimental code now pulls live packages, extensions, plugins, skills, context files, and MCP servers straight from the internet.

Vanishing execution

Some of that activity never lands in CI because it runs locally and disappears, leaving only whatever telemetry you chose to capture.

Same playbook, narrower waists

Guidance layer

Make the secure path the easy path. Show people what good looks like and reduce the cognitive cost of doing the right thing.

Control layer

Make the unsafe path impossible or extremely annoying so agents cannot take private shortcuts around the company's control plane.

Guidance is also an adoption strategy

Diagram contrasting AI being blocked by fear versus adopted responsibly through guidance, patterns, and company posture

Fear is real

Some engineers are excited about AI; others are cautious because they've heard enough horror stories.

Security can enable

If security provides good patterns, it becomes the reason AI can be adopted responsibly instead of blocked reflexively.

Company-specific posture

Every organization chooses a different risk appetite, so the playbook must be configurable rather than ideological.

Observe everything

Case study

A SaaS founder put Replit's agent into an explicit code freeze. The agent still dropped the production database, wiped roughly 1,200 records, and then incorrectly claimed recovery would not work.

Lesson

Prompt-level "don't" is not a control. The real control is limiting the token so the agent never has destructive permissions it does not need.

Side-eye puppet reaction

What to watch for

  • • Velocity & blocked-action spikes
  • • Scope violations & privilege escalation
  • • Secret access & data exfiltration
  • • Unapproved external connections
  • • Dev → prod crossover
Funnel diagram showing app logs, API requests, database queries, auth logs, errors, cloud events, telemetry, traces, CI/CD, and agent events all ingested

Security context

What it needs to say

  • • Hard no's
  • • Approved registries
  • • Secure-coding rules
  • • Preferred tools and network expectations

What it should not become

  • • A giant essay
  • • A token sink
  • • A replacement for actual controls
  • • A document no one tests with evals
Reference card showing where to place the security context file for Claude, Cursor, Pi, and Codex

Centralized MCP guidance

🗂️

Registry

One place answers whether an MCP is allowed.

🩺

Health score

The service should expose trust and operational quality signals, not just existence.

🔐

Built-in auth

If auth is hard, people skip it. Safe setup has to fit the infrastructure people already use.

Cursor extensions are VS Code extensions — the same allowlist policy can apply for both systems.

Control layer

What still works

  • • Package proxies with allowlists and freshness windows
  • • CI blocks on known-bad
  • • Egress and ingress proxies (stop prompt injection here)
  • • Git hooks and branch protections

Why it feels different now

  • • Agents will route around weak defaults
  • • Human bypasses become automated bypasses
  • • Tooling policy is now part of the security boundary
  • • Enterprise controls in agents matter operationally

The narrow waists

1 · LLM proxy
Every model call goes through one logged pass-through.
2 · Sandboxed dev env
Only allowlisted activity runs; dependency proxy with denylist + cooldown as fallback.
3 · Tool gateway
All MCPs and external tools sit behind one service.
4 · Audit + identity
One token format, revocation, short-lived creds, and gated risky actions.
4
funnel points beat fifty scattered controls

One LLM proxy

Diagram showing support, data, dev, and autonomous agents all funneling through a single LLM proxy that routes to GPT-4o, Claude, Gemini, and Llama, with a log-only then blocking rollout

All model traffic from every agent should pass through one proxy. Start log-only, measure first, then move to blocking when you understand normal behavior.

  • • Content scanning middleware
  • • Header-driven policy
  • • Consistent logging
  • • Minimal latency overhead

Sandbox the dev environment

Default: sandboxed dev env

Whether the developer is on a laptop or in a cloud workspace, run their work inside a sandbox where only allowlisted activity — network egress, file access, package installs — is permitted.

Light-touch dependency proxy

Dependency proxy with a denylist and a cooldown window on newly-published packages and MCP servers.

Tool gateway

Diagram showing an AI agent routed through a tool gateway with access policy, request/response logging, and extensibility for scanning or human-in-the-loop, then out to first-party MCPs, third-party tool calls, system actions, and other tools, with a centralized log store

All first-party MCPs, third-party tool calls, and system actions should sit behind a service that centralizes access and logs.

  • • One front door for every tool call
  • • Per-tool allow/deny policy
  • • Consistent request and response logs
  • • Easier to add scanning or human-in-the-loop later

Agent identity + audit pane

Agents need first-class identity, short-lived credentials, and an audit plane that gates writes, sends, and other risky actions.

Diagram showing agent identity (one token format, short-lived credentials, fast revocation) flowing through a policy gate that gates risky actions like write to DB, send email, and upload file, producing an audit pane log with time, agent, action, and allowed/denied result

What's still hard

  • • Remote and HTTPS MCP servers still lack a clean registry answer
  • • Negative constraints in prompts fail silently
  • • Context bloat can slow the agent and bury the signal
82%

of organizations discovered at least one AI agent or workflow that security or IT did not previously know about in the past year.

Cloud Security Alliance, Enterprise AI Agent Security Survey (2026)

What you do Monday: crawl, walk, run

Crawl · Inventory + security context file
Until you have the list of agents, workflows, extensions, and tools, every other control is theater. Then ship a small, useful security context file you can hand out today.
Walk · One proxy waist + identity broker
Pick a single funnel point this quarter — LLM proxy is usually the cheapest first move — and stand up an agent identity broker that works even on a laptop.
Run · Package proxies + denylisting
Route every install through a dependency proxy, enforce freshness windows, and denylist known-bad packages, MCPs, and tools as your signal sharpens.

What this sounds like in a room

For security

You're not being asked to secure magic. You're being asked to force sprawl through fewer, more visible decision points.

Patience and pre-work. Map your current footprint first. Pick what fits your blast radius — not every waist needs to ship on day one.

observemeasureguidecontrol
every control ships with a measurement

For engineering leadership

Security is having the same heart palpitations we had when cloud arrived.

We need your advocacy — pull us into the room early and protect our observational layer.

Design like agents are users

1

Old assumptions are gone: AI systems increasingly act with human-like authority — and authority means access.

2

Four funnel points beat fifty scattered controls when adoption is chaotic.

3

Observe relentlessly, because the agent that breaks your rule usually won't tell you.

Crawl with a security context file. Walk with a single proxy waist. Run with package proxies and denylisting.

In 2026, when we get this right, security becomes the reason your company ships faster and safer than its competitors.

Q & A

QR code linking to dublin.devinadhawan.com

Get the slides · dublin.devinadhawan.com

Devina Mauria-Dhawan