Saved in:
Bibliographic Details
Main Authors: Jiang, Xiaochong, Yang, Shiqi, Yang, Wenting, Liu, Yichen, Ji, Cheng
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2602.19555
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914487930454016
author Jiang, Xiaochong
Yang, Shiqi
Yang, Wenting
Liu, Yichen
Ji, Cheng
author_facet Jiang, Xiaochong
Yang, Shiqi
Yang, Wenting
Liu, Yichen
Ji, Cheng
contents Agentic systems based on large language models (LLMs) operate not merely as text generators but as autonomous entities that dynamically retrieve information and invoke tools. This execution model shifts the attack surface from traditional build-time artifacts to inference-time dependencies, exposing agents to manipulation through untrusted data and probabilistic capability resolution. While prior work has examined model-level vulnerabilities, security risks arising from the complex, cyclic runtime behavior of agents remain fragmented. This paper systematizes existing research into a unified runtime framework. We categorize threats into data supply chain attacks (distinguishing between transient context injection and persistent memory poisoning) and tool supply chain attacks (spanning discovery, implementation, and invocation phases). Crucially, we identify the emergence of the Viral Agent Loop, where agents effectively become vectors for self-propagating generative worms that require no code vulnerabilities to spread. We argue for a transition to a Zero-Trust Runtime Architecture, where context is treated as untrusted control flow, and tool execution is bounded by cryptographic provenance rather than semantic likelihood.
format Preprint
id arxiv_https___arxiv_org_abs_2602_19555
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle SOK: A Taxonomy of Attack Vectors and Defense Strategies for Agentic Supply Chain Runtime
Jiang, Xiaochong
Yang, Shiqi
Yang, Wenting
Liu, Yichen
Ji, Cheng
Cryptography and Security
Artificial Intelligence
Agentic systems based on large language models (LLMs) operate not merely as text generators but as autonomous entities that dynamically retrieve information and invoke tools. This execution model shifts the attack surface from traditional build-time artifacts to inference-time dependencies, exposing agents to manipulation through untrusted data and probabilistic capability resolution. While prior work has examined model-level vulnerabilities, security risks arising from the complex, cyclic runtime behavior of agents remain fragmented. This paper systematizes existing research into a unified runtime framework. We categorize threats into data supply chain attacks (distinguishing between transient context injection and persistent memory poisoning) and tool supply chain attacks (spanning discovery, implementation, and invocation phases). Crucially, we identify the emergence of the Viral Agent Loop, where agents effectively become vectors for self-propagating generative worms that require no code vulnerabilities to spread. We argue for a transition to a Zero-Trust Runtime Architecture, where context is treated as untrusted control flow, and tool execution is bounded by cryptographic provenance rather than semantic likelihood.
title SOK: A Taxonomy of Attack Vectors and Defense Strategies for Agentic Supply Chain Runtime
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2602.19555