☣️

Don't Let AI Poison Your Supply Chain

Make it safe to use

Devina Mauria-Dhawan · Staff AI Security Engineer, Shopify

Agenda

1
Why this matters now
Supply-chain attacks now recruit the AI on the box
2
What actually changed
Same systems, different actors, bigger population
3
Guidance and control
Make safe paths easy and unsafe paths painful
4
The four funnel points
Proxy, gateway, identity, and audit visibility
5
What to do Monday
Crawl, walk, run: context file → proxy waist → package proxies + denylist
6
Close
Design like agents are users

Agents move faster than the speed of cloud

A poisoned dependency can now recruit the AI tooling already installed on a developer laptop and turn it into part of the attack chain.
August 2025
Compromised nx package shipped to npm
AI CLIs complied
Claude and Gemini CLIs were told to search for secrets and wallets
~1,000
Developers reportedly impacted before npm yanked the package

Why that story matters

📦

Supply-chain compromise

The first stage looked ordinary: a package in the dependency ecosystem was the delivery vehicle.

🤖

Agent amplification

The novel step was instructing local AI tools to widen the blast radius using developer context and permissions.

🧨

Account-side exposure

Secrets ended up published through the victim's own accounts, making the victim look like the actor.

Who I am

Devina Mauria-Dhawan headshot
🛡️

Role

Devina Mauria-Dhawan, Staff AI Security Engineer at Shopify.

🔬

Problem space

How do you let thousands of people run AI agents on laptops without getting owned?

🧭

Talk promise

A practical playbook, plus the potholes to avoid when adoption outruns control design. Crawl with a security context file, walk with a single proxy waist, run with package proxies and denylisting.

AI didn't change the landscape

The core path is unchanged: people create code locally, it ends up in the cloud or data center, and customers hit it there. The system is familiar. The population touching it is not.

The problem stays. The population explodes.

What's different: who codes

Old mental model

"Developer" meant a person inside the engineering org with onboarding, policy awareness, and institutional context.

New reality

Now anyone who writes code or prompts effectively becomes part of the developer population, including non-engineers pushing real changes toward production.

That includes people who may not fully understand local command impact, secret handling, or what destructive commands actually do on their machines.

What's different: what they code with

⌨️

Before

IDE wars: Vim, Emacs, IntelliJ, VS Code.

🧠

Now

Claude, Cursor, Codex, Copilot, and the latest agent someone installed last Tuesday.

Implication

The tool itself now takes actions, not just suggestions, so its permissions and defaults matter as much as its output quality.

Diagram showing an AI agent's connections to models, APIs, tools, MCP servers, and third-party services like GitHub, Slack, and Google Drive

What's different: where code comes from

Internet-native sourcing

Experimental code now pulls live packages, extensions, plugins, skills, context files, and MCP servers straight from the internet.

Vanishing execution

Some of that activity never lands in CI because it runs locally and disappears, leaving only whatever telemetry you chose to capture.

Challenging old assumptions

"Only a human is touching this file, this data, this server." Every authn/authz pattern, audit trail, and code review process was built on that assumption.

Now robots increasingly impersonate humans instead of showing up as neatly scoped robots.

Same playbook, narrower waists

Guidance layer

Make the secure path the easy path. Show people what good looks like and reduce the cognitive cost of doing the right thing.

Control layer

Make the unsafe path impossible or extremely annoying so agents cannot take private shortcuts around the company's control plane.

Guidance is also an adoption strategy

Fear is real

Some engineers are excited about AI; others are cautious because they've heard enough horror stories.

Security can enable

If security provides good patterns, it becomes the reason AI can be adopted responsibly instead of blocked reflexively.

Company-specific posture

Every organization chooses a different risk appetite, so the playbook must be configurable rather than ideological.

Observe everything

Case study

A SaaS founder put Replit's agent into an explicit code freeze. The agent still dropped the production database, wiped roughly 1,200 records, and then incorrectly claimed recovery would not work.

Lesson

Prompt-level "don't" is not a control. The real control is limiting the token so the agent never has destructive permissions it does not need.

What to watch for

  • • Velocity anomalies
  • • Dangerous command patterns
  • • Scope violations
  • • Loops and self-retries
  • • Request logs as training signal
  • • Product-side protections on systems AI touches
  • • Evaluation slices for risky agent behavior
  • • Revocation as a first-class operation

Security context

What it needs to say

  • • Hard no's
  • • Approved registries
  • • Secure-coding rules
  • • Preferred tools and network expectations

What it should not become

  • • A giant essay
  • • A token sink
  • • A replacement for actual controls
  • • A document no one tests with evals

Centralized MCP guidance

🗂️

Registry

One place answers whether an MCP is allowed.

🩺

Health score

The service should expose trust and operational quality signals, not just existence.

🔐

Built-in auth

If auth is hard, people skip it. Safe setup has to fit the infrastructure people already use.

Control layer

What still works

  • • Package proxies with allowlists and freshness windows
  • • CI blocks on known-bad
  • • Egress and ingress proxies
  • • Git hooks and branch protections

Why it feels different now

  • • Agents will route around weak defaults
  • • Human bypasses become automated bypasses
  • • Tooling policy is now part of the security boundary
  • • Enterprise controls in agents matter operationally

The narrow waists

1 · LLM proxy
Every model call goes through one logged pass-through.
2 · Dependency proxy
Every package install is observed and can be scanned or denied.
3 · Tool gateway
All MCPs and external tools sit behind one service.
4 · Audit + identity
One token format, revocation, short-lived creds, and gated risky actions.
4
funnel points beat fifty scattered controls

Narrow waist #1: one LLM proxy

All model traffic from every agent should pass through one proxy. Start log-only, measure first, then move to blocking when you understand normal behavior.

  • • Content scanning middleware
  • • Header-driven policy
  • • Consistent logging
  • • Minimal latency overhead

Narrow waist #2: one dependency proxy

If you cannot allowlist everything, at least make every install observable through a proxy so security gets one stream of dependency behavior.

Observability100%
Freshness gate7 days
CI scan coverageHigh

Narrow waist #3: tool gateway

All first-party MCPs, third-party tool calls, and system actions should sit behind a service that centralizes access and logs.

  • • One front door for every tool call
  • • Per-tool allow/deny policy
  • • Consistent request and response logs
  • • Easier to add scanning or human-in-the-loop later

Narrow waist #4: agent identity + audit pane

Agents need first-class identity, short-lived credentials, and an audit plane that gates writes, sends, and other risky actions.

  • • One token format across agents
  • • Short-lived creds, fast revocation
  • • Risky actions are gated, not just logged
  • • Clear "who did this" for every action
This also reduces plaintext token sprawl across shell history, env files, local configs, and copied secrets.

What's still hard

  • • Remote and HTTPS MCP servers still lack a clean registry answer
  • • Negative constraints in prompts fail silently
  • • Context bloat can slow the agent and bury the signal
82%

of organizations discovered at least one AI agent or workflow that security or IT did not previously know about in the past year.

Cloud Security Alliance, Enterprise AI Agent Security Survey (2026)

What you do Monday: crawl, walk, run

Crawl · Inventory + security context file
Until you have the list of agents, workflows, extensions, and tools, every other control is theater. Then ship a small, useful security context file you can hand out today.
Walk · One proxy waist + identity broker
Pick a single funnel point this quarter — LLM proxy is usually the cheapest first move — and stand up an agent identity broker that works even on a laptop.
Run · Package proxies + denylisting
Route every install through a dependency proxy, enforce freshness windows, and denylist known-bad packages, MCPs, and tools as your signal sharpens.

What this sounds like in a room

For security

You're not being asked to secure magic. You're being asked to force sprawl through fewer, more visible decision points.

For engineering leadership

If AI use is baseline, then identity, logging, and controlled tool access also have to become baseline.

Design like agents are users

1

The old assumption is dead: AI systems increasingly act with human-like authority.

2

Four funnel points beat fifty scattered controls when adoption is chaotic.

3

Observe relentlessly, because the agent that breaks your rule usually won't tell you.

Crawl with a security context file. Walk with a single proxy waist. Run with package proxies and denylisting.

In 2026, when we get this right, security becomes the reason your company ships faster and safer than its competitors.

Get the slides

QR code linking to dublin.devinadhawan.com

dublin.devinadhawan.com

Q & A

Devina Mauria-Dhawan · Staff AI Security Engineer, Shopify

1 / 30