SOK: A Taxonomy of Attack Vectors and Defense Strategies for Agentic Supply Chain Runtime

Cheng Ji; Shiqi Yang; Wenting Yang; Xiaochong Jiang; Yichen Liu

arxiv: 2602.19555 · v2 · submitted 2026-02-23 · 💻 cs.CR · cs.AI

SOK: A Taxonomy of Attack Vectors and Defense Strategies for Agentic Supply Chain Runtime

Xiaochong Jiang , Shiqi Yang , Wenting Yang , Yichen Liu , Cheng Ji This is my paper

Pith reviewed 2026-05-15 21:01 UTC · model grok-4.3

classification 💻 cs.CR cs.AI

keywords agentic systemsLLM securitysupply chain attacksruntime threatsviral agent loopcontext injectiontool invocationzero-trust architecture

0 comments

The pith

Agentic LLM systems enable self-propagating generative worms via viral runtime loops

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper organizes security threats to agentic AI systems that dynamically retrieve information and invoke tools at inference time. It separates data supply chain attacks into transient context injection and persistent memory poisoning, while dividing tool supply chain attacks into discovery, implementation, and invocation phases. The work identifies the viral agent loop as an emergent risk where agents themselves become vectors for self-propagating generative worms that spread without any code vulnerabilities. A sympathetic reader would care because these systems shift the attack surface from build-time artifacts to cyclic runtime behavior, exposing autonomous agents to manipulation through untrusted data and probabilistic decisions. The paper concludes that existing defenses are insufficient and calls for a zero-trust runtime architecture.

Core claim

The paper identifies the emergence of the Viral Agent Loop, where agents effectively become vectors for self-propagating generative worms that require no code vulnerabilities to spread. It systematizes threats into data supply chain attacks, distinguishing transient context injection from persistent memory poisoning, and tool supply chain attacks spanning discovery, implementation, and invocation phases. The authors argue for a transition to a Zero-Trust Runtime Architecture in which context is treated as untrusted control flow and tool execution is bounded by cryptographic provenance rather than semantic likelihood.

What carries the argument

The Viral Agent Loop, the emergent mechanism by which agents propagate generative worms through their own context and tool interactions without traditional exploits.

If this is right

Data supply chain attacks split into short-lived transient injections versus long-term persistent memory poisoning.
Tool supply chain attacks create vectors at the points of discovery, implementation, and invocation.
Tool execution must be bounded by cryptographic provenance checks instead of semantic likelihood.
Context must be treated as untrusted control flow in any secure agent runtime.
A shift to zero-trust runtime architecture is required to address the new attack surface created by cyclic agent behavior.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Existing agent frameworks should add provenance tracking on every tool call to limit worm propagation.
Audits of deployed agents could test for viral loop formation by injecting context and observing downstream behavior.
Multi-agent systems may amplify the loop effect, suggesting a need for inter-agent isolation mechanisms.
The transient versus persistent distinction implies different detection timelines for monitoring tools.

Load-bearing premise

The proposed taxonomy categories comprehensively capture all runtime threats without significant overlap or omission, and the viral agent loop is a distinct emergent phenomenon separable from existing prompt injection or malware concepts.

What would settle it

An experiment in which one agent is induced to output context that causes a second independent agent to adopt and further propagate the same malicious behavior solely through its own tool calls and memory updates, with no shared code or explicit instructions.

read the original abstract

Agentic systems based on large language models (LLMs) operate not merely as text generators but as autonomous entities that dynamically retrieve information and invoke tools. This execution model shifts the attack surface from traditional build-time artifacts to inference-time dependencies, exposing agents to manipulation through untrusted data and probabilistic capability resolution. While prior work has examined model-level vulnerabilities, security risks arising from the complex, cyclic runtime behavior of agents remain fragmented. This paper systematizes existing research into a unified runtime framework. We categorize threats into data supply chain attacks (distinguishing between transient context injection and persistent memory poisoning) and tool supply chain attacks (spanning discovery, implementation, and invocation phases). Crucially, we identify the emergence of the Viral Agent Loop, where agents effectively become vectors for self-propagating generative worms that require no code vulnerabilities to spread. We argue for a transition to a Zero-Trust Runtime Architecture, where context is treated as untrusted control flow, and tool execution is bounded by cryptographic provenance rather than semantic likelihood.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

A useful taxonomy for LLM agent runtime risks that organizes the literature cleanly but leaves the viral loop claim overlapping too much with prompt injection.

read the letter

This paper pulls together work on attacks against LLM agents that pull external data and call tools. It frames the risks around a runtime model and splits them into data supply chain problems (context injection versus memory poisoning) and tool supply chain problems (discovery, implementation, invocation). That split tracks the execution flow and gives a clearer map than the scattered papers that came before it. The new label they introduce is the Viral Agent Loop, where an agent starts spreading bad behavior through its own outputs without any traditional code flaw. They close by arguing for zero-trust runtimes that treat context as untrusted and tie tool calls to cryptographic checks instead of model guesses. The taxonomy itself is the strongest part. It takes existing fragments on prompt injection, poisoning, and tool misuse and lines them up under consistent headings, which makes the attack surface easier to discuss. The categories are not arbitrary; they follow from how agents actually run. The soft spot is the viral loop. The description ends up looking like recursive prompt injection that already propagates through memory or tool results in current agent frameworks. Without a crisp property that sets it apart, the claim that this is a distinct emergent class rests on naming rather than a demonstrated separation. The zero-trust recommendation is reasonable directionally but stays high-level with little on how to enforce provenance in practice. This is the kind of paper that helps people who are actually shipping or securing agent systems. A practitioner or researcher who needs a shared vocabulary for these runtime threats will find it worth reading. It is coherent enough on its own terms to go to peer review; referees can tighten the boundaries around the new term and ask for more concrete examples of what falls inside versus outside the loop.

Referee Report

1 major / 2 minor

Summary. This SOK paper systematizes runtime security threats in LLM-based agentic systems. It partitions attacks into data supply chain threats (transient context injection versus persistent memory poisoning) and tool supply chain threats (discovery, implementation, and invocation phases). The central contribution is the identification of the Viral Agent Loop, in which agents act as vectors for self-propagating generative worms that require no code vulnerabilities, together with an argument for adopting a Zero-Trust Runtime Architecture that treats context as untrusted control flow and enforces cryptographic provenance on tool execution.

Significance. If the taxonomy is shown to be exhaustive and the Viral Agent Loop is rigorously separated from prior prompt-injection concepts, the work would usefully consolidate fragmented literature on agent runtime attacks and supply a concrete architectural direction for defenses that move beyond model-level mitigations.

major comments (1)

[Viral Agent Loop identification and Zero-Trust Runtime Architecture argument] The claim that the Viral Agent Loop constitutes a distinct emergent phenomenon separable from prompt injection is load-bearing for both the taxonomy's novelty and the call for Zero-Trust Runtime Architecture, yet no formal criterion (e.g., a property that cannot be reduced to semantic-likelihood manipulation of context) is supplied to establish the separation. The abstract description of recursive generation of malicious prompts via untrusted memory or tool outputs aligns directly with known prompt-injection propagation in agent frameworks.

minor comments (2)

[Taxonomy sections] The boundaries between transient context injection and persistent memory poisoning, and between the three tool-supply-chain phases, should be illustrated with a small number of concrete attack examples drawn from cited literature to reduce the risk of perceived overlap.
[Related work] Add an explicit comparison table or subsection that maps the new categories onto at least two prior taxonomies of LLM or agent attacks to clarify incremental contribution.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback on our systematization of runtime threats in agentic LLM systems. We address the major comment below and will incorporate clarifications to strengthen the distinction of the Viral Agent Loop.

read point-by-point responses

Referee: [Viral Agent Loop identification and Zero-Trust Runtime Architecture argument] The claim that the Viral Agent Loop constitutes a distinct emergent phenomenon separable from prompt injection is load-bearing for both the taxonomy's novelty and the call for Zero-Trust Runtime Architecture, yet no formal criterion (e.g., a property that cannot be reduced to semantic-likelihood manipulation of context) is supplied to establish the separation. The abstract description of recursive generation of malicious prompts via untrusted memory or tool outputs aligns directly with known prompt-injection propagation in agent frameworks.

Authors: We agree that a more explicit formal criterion would strengthen the separation. The Viral Agent Loop is characterized by autonomous, multi-step propagation: an agent, after initial compromise via untrusted data or tool output, leverages its own planning and tool-calling loop to (i) generate new adversarial context, (ii) persist or transmit that context through memory updates or downstream agent invocations, and (iii) do so without requiring continued external attacker input. This produces a self-sustaining infection across the agent supply chain. Traditional prompt injection, by contrast, is typically a one-shot semantic manipulation that does not inherently trigger recursive self-propagation through the agent's runtime actions. In the revised manuscript we will add a formal definition in Section 3 that specifies these three properties and contrasts them with single-vector prompt injection, thereby clarifying why semantic-likelihood defenses are insufficient and motivating the Zero-Trust Runtime Architecture. revision: partial

Circularity Check

0 steps flagged

No circularity in taxonomy synthesis

full rationale

This SOK paper organizes prior literature on agentic runtime threats into data supply chain attacks (transient context injection, persistent memory poisoning) and tool supply chain attacks (discovery, implementation, invocation), while presenting the Viral Agent Loop as an identified emergent pattern. These are explicit definitional and categorization contributions drawn from external sources rather than outputs of any equations, fitted parameters, or self-referential derivations within the paper. No predictions reduce to inputs by construction, no uniqueness theorems are imported from the authors' prior work, and no ansatzes are smuggled via self-citation. The framework remains self-contained as a literature synthesis without load-bearing circular steps.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 2 invented entities

The paper relies on domain assumptions about agent runtime behavior and introduces two new conceptual entities without quantitative parameters or external validation.

axioms (1)

domain assumption Agentic LLM systems operate as autonomous entities that dynamically retrieve information and invoke tools at inference time
This describes the core execution model that shifts the attack surface to runtime dependencies.

invented entities (2)

Viral Agent Loop no independent evidence
purpose: To name and describe self-propagating generative worms spread through agent interactions
Newly identified phenomenon requiring no code vulnerabilities
Zero-Trust Runtime Architecture no independent evidence
purpose: Proposed defense framework treating context as untrusted and requiring cryptographic provenance for tools
New architecture advocated as transition from current practices

pith-pipeline@v0.9.0 · 5485 in / 1462 out tokens · 53258 ms · 2026-05-15T21:01:51.191036+00:00 · methodology

discussion (0)

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

When Alignment Isn't Enough: Response-Path Attacks on LLM Agents
cs.CR 2026-05 unverdicted novelty 7.0

A malicious relay can strategically rewrite aligned LLM outputs in BYOK agent architectures to achieve up to 99.1% attack success on benchmarks like AgentDojo and ASB.
Credential Leakage in LLM Agent Skills: A Large-Scale Empirical Study
cs.CR 2026-04 accept novelty 7.0

Analysis of 17k LLM agent skills reveals 520 vulnerable ones with 1,708 leakage issues, primarily from debug output exposure, with a 10-pattern taxonomy and released dataset for future detection.