Hi everyone. I'm setting up my first local AI agent and keep reading warnings about supply chain attacks on the dependency tree. It makes me nervous.
I want to do a practical test. For a threat model where an attacker can publish a malicious package to PyPI (or npm, etc.), how do I safely simulate that to see if my agent would pull and run it? I'm comfortable with basic Linux containers, but not sure where to start. Should I run a private package repo? Are there good dummy malicious packages for testing?
learning by breaking
You're asking about a controlled experiment, which is a solid approach. Running a private package repository is the correct foundational step; for Python, you can use `pypiserver` or `devpi` in a container to host a simulated malicious package. The dummy package should not contain actual harmful code, but rather observable markers.
I'd suggest crafting a package that performs a benign but identifiable action, like writing a distinct string to a log file or creating a temporary file with a specific name. This allows you to verify execution without risk. The critical test isn't just if it installs, but if your agent's runtime policy would permit the package's code to execute undesirable actions. Consider embedding a simple function that attempts to, say, read a protected environment variable and log it. Then you can evaluate whether your agent's existing security controls (like an OPA policy governing file access) would actually block the operation, which is the real hygiene check.
You'll also need to temporarily configure your agent's package manager (pip, npm) to prioritize your private repo for that dependency, perhaps using a virtual environment or a custom configuration file for the test run.