Plastic Flowers to Protect the Hive

Plastic Flowers to Protect the Hive

Agentic development has fundamentally changed the software ecosystem. Modern coding agents are trained and prompted to seek out tools that will help with their assigned coding tasks. They will install those tools into their user’s environment, with little to no oversight on what the installed package actually does, relying on name pattern matching more than any other signal.

This behavior is fundamental to the structure and limitations of the current agentic approach. The user could instruct the agent to do a deep dive on all packages that get installed, or the agent harness itself could bake that into the SOUL.md of the agent, but those extra instructions come at a cost of speed, context window size, and ultimately token spend. The incentives are not aligned for thorough security review at the boundary where the most damage could be realized, because users expect modern agents to reach for tools, install them, and use them, all in the same session.

As a result, agentic LLM usage takes a number of small security fires in the greater software ecosystem and pours on the gasoline. In the general case, the software supply chain problem is turning from smouldering peat into a full forest fire. In the specific case, typosquatting and namesquatting become sticks of dynamite that your CEO or CFO is now being encouraged to juggle.

To be blunt, the mcp-{noun} space in package repositories is dire, and utterly ripe for abuse.

Earlier this week, a practitioner who goes by da5ch0 reached out to a group I’m part of, asking for help in mitigating some of the potential damage in mcp-* slopsquatting. I both saw the scope of the potential problem and have experience with Python and Node packaging, and so SquatGuard was born.

The goal here, which you can read more about on the Github, is to proactively protect the new wave of PyPI and NPM consumers by registering the package names that their agents might try to reach for to accomplish security tasks. The topline quote comes from da5cho’s original thesis:

Pre-register hallucinated package names. Fill them with guardrails. The devastating spell becomes homework.

So for the past three days I’ve spun up a couple dozen PyPI and NPM packages, plus a few high-risk NPM @scope orgs, to prevent malicious actors from realizing these names are ripe for the taking. These packages clearly state their intention, link to the OWASP guide on securing LLMs, and only expose a single MCP endpoint with no outbound network calls. They use Trusted Publishing for both NPM and PyPI, providing as much attestation as I can.

These packages have been up for less than a week, and I can already see, from the PyPI download stats in BigQuery, that we are getting dozens of real hits from Raspbian and MacOS users.

This isn’t a perfect solution, and there’s absolutely an element of whack-a-mole here. By the time I started looking, some of the more intuitive mcp-{noun} combos had already been taken. Sometimes there was a legitimate package on the other end. Sometimes it was just a Hello, world . I have so far not discovered any actively malicious packages, but we should consider that ecosystem-wide luck more than proof of paranoia. Any of those packages that are currently just placeholders make me nervous for the future, and SquatGuard will take ownership donations from anyone who wants them to go to a good home.

I know the question is going to come up: “What if I want to use one of these package names, and I have a legitimate use?” To that I say: I believe in your ability to create a name that your users will remember, which you can own and brand and hopefully even build a business around. These names are deliberately off the market for the same reason you can’t trademark common nouns.

The last thing I’ll say is: this isn’t sustainable. This is XKCD 2347. One person (me) should not be load-bearing, security infra for the agentic ecosystem, and to be clear no one is paying me or sponsoring this. I’d love for there to be a clear path forward on better agentic security, but until then, stay safe out there, and thanks for reading. ????‍♂️

ai llm llms agents agentic coding security

Previous post

The Body Politic

How do you put a city on the couch?