The supply chain is the first attack surface in any agentic workflow. Before your agent runs a single tool call, the npm packages it loaded, the MCP configs it trusts, and the hook scripts it executes may already be compromised. AgentShield is ECC’s automated IOC scanner for exactly this layer: it checks dependency manifests, lockfiles, installed package payloads, and AI-tool persistence paths against a catalog of active supply-chain indicators — raising findings before a compromised artifact can affect a live agent session.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/affaan-m/ECC/llms.txt
Use this file to discover all available pages before exploring further.
Always run AgentShield before deploying ECC to a production agent environment. Supply-chain infections are silent by design; they do not announce themselves in normal output.
What AgentShield scans
AgentShield’s scanner (scan-supply-chain-iocs.js) targets four distinct surfaces:
npm & PyPI dependency trees
Checks
package.json, package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lock, pyproject.toml, poetry.lock, and requirements.txt for known compromised package versions. Also walks node_modules/ to inspect installed package payload files directly.AI-tool persistence surfaces
Scans AI harness config directories —
.claude/, .cursor/, .vscode/, .kiro/settings/ — for known payload filenames (router_runtime.js, setup.mjs, pgmonitor.py, gh-token-monitor.sh) and suspicious content patterns injected into hook or settings files.System persistence paths
Checks macOS
LaunchAgents (~/Library/LaunchAgents/), Linux systemd user units (~/.config/systemd/user/), local bin directories (~/.local/bin/), GitHub Actions workflow files (.github/workflows/), and known /tmp drop paths for IOC artifacts.Unicode and content safety
Scans file content for known active IOC strings, including bidirectional text tricks, suspicious network endpoints, known C2 hostnames, and GitHub token monitor dead-man-switch artifacts.
What counts as an IOC
AgentShield maintains three IOC catalogs derived from real supply-chain incidents:Known compromised package versions
A curated list of packages and exact versions confirmed as malicious. Examples from the catalog:| Package | Compromised versions |
|---|---|
node-ipc | 9.1.6, 9.2.3, 10.1.1–10.1.2, 11.0.0–11.1.0, 12.0.1 |
@mistralai/mistralai | 2.2.2, 2.2.3, 2.2.4 |
@opensearch-project/opensearch | 3.5.3, 3.6.2, 3.7.0, 3.8.0 |
guardrails-ai | 0.10.1 |
intercom-client | 7.0.4 |
@tanstack/react-router | 1.169.5, 1.169.8 |
@dirigible-ai/sdk | 0.6.2, 0.6.3 |
critical finding.
Critical text indicators
String patterns that indicate active supply-chain compromise when found in scanned files — including:- Known C2 hostnames:
filev2.getsession.org,git-tanstack.com,sh.azurestaticprovider.net,api.masscan.cloud - AWS metadata service endpoint:
169.254.169.254(IMDS exfiltration) - Known payload script names:
tanstack_runner.js,router_init.js,opensearch_init.js,vite_setup.mjs - GitHub token monitor artifacts:
gh-token-monitor,com.user.gh-token-monitor,IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner - Known GitHub Actions campaign markers:
shai-hulud-workflow.yml,codeql_analysis.yml(as planted files, not the standard name)
permissions.deny blocks in Claude settings files are excluded from findings — that is where you intentionally list dangerous patterns to block.
Known malicious file hashes
SHA-256 hashes of confirmed malicious tarballs and payloads (for example, specificnode-ipc .cjs and .tgz artifacts). Any file whose hash matches raises a critical finding immediately, regardless of filename.
CLI usage
Run a scan
scan-supply-chain-iocs.js against the repo root. Findings are printed to stderr; the process exits 1 if any IOC is found and 0 if the scan is clean.
Interpreting output
A clean scan:- Severity — always
criticalfor IOC matches - File path — relative to the scanned root
- Line number — where in the file the indicator was detected
- Indicator — the specific IOC that matched
- Message — human-readable explanation of the finding
JSON output format
CI integration
Add AgentShield to your GitHub Actions workflow to block compromised packages from reaching any deployed agent environment:--json to capture structured output for downstream processing or SIEM ingestion.
How the scanner works internally
File discovery
The scanner walks the target directory, collecting files that match a known-relevant set: dependency manifests (
package.json, lockfiles, requirements.txt), AI-tool config paths (.claude/settings.json, .vscode/tasks.json), persistence-surface filenames when found under special config directories, and known payload filenames when found under node_modules/.Hash check
Each collected file is SHA-256 hashed and compared against the malicious file hash catalog. A match raises a
critical finding immediately.Payload filename check
Files whose base names appear in the payload filename set (
router_runtime.js, tanstack_runner.js, pgmonitor.py, etc.) raise a critical finding — the presence of these filenames in the expected drop locations is itself an IOC.Text IOC scan
File content is scanned for all critical text indicators. Matches inside
permissions.deny blocks in Claude settings files are suppressed to avoid false positives from defensive denylists.Installation
AgentShield is included in the--profile security and --modules security install options:
ecc-agentshield npm package is also available as a standalone scanner:
What AgentShield does not replace
AgentShield catches known IOCs. It does not replace:- Semantic code review — a novel, previously undocumented malicious package will not be in the IOC catalog.
- Runtime sandboxing — IOC scanning is a pre-flight check, not a runtime containment layer.
- Prompt injection defense — AgentShield scans files, not in-context model inputs.
- Human approval gates — do not remove PreToolUse hook gates because the scan passed.