The 19× Gap: What Epidemiology Already Knows About AI Supply Chain Attacks

In April 2026, OX Security submitted a malicious proof-of-concept to eleven major Model Context Protocol registries. Nine accepted it without detection, and the firm subsequently confirmed command execution on six live production platforms (“The Mother of All AI Supply Chains,” OX Security, April 2026). The vulnerability they exploited wasn’t sophisticated. It was the absence of any verification step at all.

Around the same time, ReversingLabs released their fourth annual software supply chain security report. Across roughly 400,000 public GitHub repositories, the median time to remediate a leaked secret was 94 days. By Security Boulevard’s 2026 vulnerability statistics, the median time-to-exploit for newly disclosed vulnerabilities is under five days.

That’s a 19-to-1 ratio. The infectious window is roughly nineteen times longer than the time required to weaponize what’s inside it. In epidemiology, when the duration of infectiousness vastly exceeds the speed of detection and recovery, you don’t have a hygiene problem. You have an epidemic.

The AI agent supply chain has been treated as an engineering problem — better SBOMs, better signing, better sandboxing, better registries. The argument here is that the field has been reaching for the wrong toolkit. What’s happening to npm, PyPI, MCP, and ClawHub isn’t a series of incidents to engineer around. It’s a propagation problem with mature mathematics, and the mathematics comes from public health.

R₀ for an Ecosystem with No Friction

The basic reproduction number, R₀, is the most useful number in epidemiology. It’s the average number of secondary infections caused by one infected individual in a fully susceptible population. R₀ greater than 1, the disease spreads. R₀ less than 1, it dies out. Measles tops the human pathogen list at R₀ of 12 to 18. Early COVID-19 was 2 to 3.

R₀ isn’t a property of the pathogen alone. It decomposes as β × c × d — transmission probability per contact, contact rate, and duration of infectiousness. Which means you can do something interesting: you can compute it for software.

For the AI agent supply chain, β — the probability that a vulnerable agent invoking a poisoned tool gets compromised — approaches 1.0. There is no equivalent of an immune system that catches a small fraction at the door. When OX Security’s malicious tool was invoked, the payload executed with the agent’s full permissions on the first call.

c, the contact rate, is where the math diverges sharply from biology. In the npm world, c is bounded by human attention: a developer types npm install, considers, types again. The friction is real. In the agent ecosystems, MCP clients discover tools at runtime by querying registries, and Google’s A2A protocol fetches agent cards from /.well-known/agent.json URIs and feeds the metadata directly into the LLM’s reasoning context, with no protocol-level verification step. There is no human in the loop.

This is the structural amplifier. MCP SDK downloads exceeded 97 million by early 2026 (OX Security). Agentic AI traffic grew 7,851 percent in 2025 by Palisade Research’s honeypot measurements. As deployment scales, c scales linearly with it — the contact rate is bounded only by the number of agents running, not by anyone’s calendar.

A first-order estimate puts agent supply chain R₀ in the 3 to 5 range — comparable to early COVID-19. This number is computed, not measured. No longitudinal study yet tracks compromise propagation through real agent dependency graphs, and the figure could be higher or lower by an order of magnitude. But the conservative bound is on the low side: anything that incorporates Palisade’s 7,851 percent traffic growth or OX Security’s nine-of-eleven registry acceptance rate pushes the number up, not down.

The Dormancy Problem the SIR Model Doesn’t Solve

The classical Susceptible-Infected-Recovered model doesn’t fit modern supply chain attacks well. WannaCry traces, fitted against multiple compartmental models, are best captured by SIIDR — Susceptible, Infected, Infected Dormant, Recovered (Guilmette et al., Applied Network Science, Springer, 2023). The fourth compartment is the one that matters: hosts that are compromised but not yet contagious.

In tuberculosis, this is the latent period. M. tuberculosis hides in granulomas for years before reactivating. In supply chain malware, dormancy isn’t a phenomenon — it’s the design pattern.

Postmark-mcp shipped fifteen clean versions before payload activation (Snyk and Koi Security, September 2025). The maintainer published 1.0.0 through 1.0.15 as legitimate, useful, well-documented MCP server code. Version 1.0.16 added a one-line BCC field that exfiltrated email contents to an attacker-controlled server. By the time of disclosure, the package had accumulated approximately 1,500 weekly downloads and an estimated 300 organizational deployments.

ClawHavoc, the February 2026 ClawHub poisoning campaign Antiy CERT documented, scaled the same pattern across 1,184 malicious skills from twelve author IDs. Two of the twelve — hightower6eu and sakaen736jih — accounted for roughly 90 percent of the malicious uploads, an 80/20 superspreader distribution that matches what epidemiologists see in measles outbreaks and SARS clusters. Snyk’s ToxicSkills audit of 3,984 ClawHub skills found that 36 percent contained security flaws, with 13.4 percent at critical severity, and noted that 60 percent of the risk lived in the instruction layer — markdown that only activates when an LLM reasons over it.

The latent period defeats symptom-based detection in biology. In the supply chain, it defeats version-pinning and one-time auditing. Pinning to 1.0.15 looks reasonable until 1.0.16 arrives. Auditing 1.0.0 looks reasonable until the maintainer’s GitHub token gets stolen and the next version is published by someone else with the same name attached.

Herd Immunity Has a Number

The herd immunity threshold is HIT = 1 − 1/R₀. For R₀ of 3, you need 67 percent population immunity to halt sustained transmission. For R₀ of 5, you need 80 percent. For measles at R₀ of 18, the threshold is 94 percent — which is why measles outbreaks return whenever vaccination rates drift below about 95. There’s no margin.

For the AI agent supply chain at R₀ of 3 to 5, the herd immunity threshold sits between 67 and 80 percent defense adoption. “Defense adoption” here means tool identity verification, signature checks, and runtime sandboxing — the things proposals like ETDI (Enhanced Tool Definition Interface, arXiv 2506.01333) and SafeClaw-R seek to standardize.

Current adoption is effectively zero.

The data points stack up. Nine of eleven MCP registries accepted OX Security’s malicious PoC. Eighty-two percent of MCP implementations were vulnerable to path traversal in PipeLab’s 2026 testing, 67 percent to code injection, 34 percent to command injection. GitGuardian’s 2026 audit found 24,008 unique secrets in MCP-related GitHub configs, 8.8 percent of them still valid at scan time. The MCP specification has no built-in identity primitive, no least-privilege enforcement, and no audit trail.

This is not a leaky 80 percent vaccination rate with breakthrough infections. It’s pre-Jenner. The agent ecosystem is in 1790, and the technology to immunize exists conceptually — variolation predates the smallpox vaccine — but is not deployed at any scale that matters epidemiologically.

The closest analogue from public health isn’t a recent outbreak. It’s the period before vaccination became a public health intervention, when prevention was personal and outbreaks just happened. The industry framing — “digital immune system,” a market that some forecasts project at $57 billion by 2032 — is using the wrong branch of biology entirely. Innate immunity is what one organism does to defend itself. Herd immunity is what a population achieves together. The agent supply chain’s problem is the second kind, and you cannot purchase your way to it as an individual buyer.

Wave Dynamics and the Survivability Pivot

Sygnia’s Q4 2025 supply chain report documented two waves of the Shai-Hulud npm worm. Wave 1.0 hit roughly 180 packages with 700+ malicious versions and weekly downloads in the hundreds of thousands. Wave 2.0, surfacing months later, reached approximately 800 packages, 1,000+ poisoned versions, and weekly downloads in the tens of millions.

The shift between waves wasn’t only scale. Sygnia explicitly flagged a qualitative change: Wave 1.0 prioritized maximum infection volume; Wave 2.0 prioritized survivability — better evasion, longer persistence, more selective exfiltration to avoid tripping detection.

This is exactly what biological pathogens do under selection pressure. High-virulence variants kill or alarm hosts too quickly to spread; immune-evading variants persist. SARS-CoV-2 went through this pivot publicly between 2020 and 2022 — Alpha was virulent and easy to spot; Omicron was milder, stealthier, and dominated. Influenza does it every season. The pattern isn’t a metaphor; it’s what convergent selection on a transmission environment produces, regardless of whether the pathogen is RNA or JavaScript. The selection pressure is the only thing that matters, and the agent ecosystem is providing plenty of it.

Quarantine Is Late by Design

In February 2026, The Hacker News reported that compromised npm and PyPI packages associated with the dYdX brand had accumulated 121,539 downloads across 128 phantom packages over six months before quarantine. PyPI quarantined LiteLLM versions 1.82.7 and 1.82.8 in March 2026 after Datadog Security Labs traced the TeamPCP campaign. ClawHub quarantined the prolific moonshine-100rze account after 14,285 downloads across 60 malicious skills (Antiy CERT, February 2026).

In every case, quarantine arrived after the infectious period was effectively complete. This isn’t a process failure; it’s a structural feature of how registries detect compromise — by reports, after exploitation, with a lag determined by user vigilance.

The biological equivalent is closing borders after a pandemic is on every continent. You do it anyway, because future cases matter, but you don’t pretend you contained the outbreak.

The deeper problem is that registry quarantine doesn’t purge cached copies. Lock files keep old versions alive in CI/CD systems. Docker images bake them in. Air-gapped environments retain them indefinitely. The structural deficit is the absence of contact tracing: a traditional SBOM captures the static dependency graph at build time — that’s a guest list, not a contact log. Agent tool invocations happen at runtime through registries discovered just-in-time, and OWASP’s 2026 ASI04 (Agentic Supply Chain Vulnerabilities) explicitly distinguishes this dynamic-composition risk from static pre-deployment supply chain risks. No infrastructure today logs which agent invoked which tool from which registry. Certificate Transparency solved the structurally identical problem for TLS by requiring every issued certificate to land in append-only public records. The agent ecosystem has nothing comparable.

Zoonotic Spillover Is the Primary Pathway

The most dangerous transmission route in the agent supply chain isn’t agent-specific. It’s the cross-ecosystem jump from npm and PyPI into MCP and A2A.

MCP servers are npm packages. Agent frameworks (LangChain, CrewAI, OpenClaw) are PyPI packages. The species barrier between traditional software and autonomous agents is technically identical: same registries, same installation mechanisms, same trust assumptions. When Shai-Hulud compromised npm, every MCP server depending on a poisoned upstream package inherited the compromise. The malware “jumped species” from passive code to autonomous agents — and gained the elevated R₀ of automated execution at the same moment.

GitGuardian documented three independent supply chain campaigns hitting npm, PyPI, and Docker Hub within a 48-hour window in April 2026, all targeting secrets. Socket linked North Korean actors to over 1,700 malicious packages spanning npm, PyPI, Go, and Rust by April 2026 (The Hacker News, April 2026). Sonatype’s Q4 2025 Open Source Malware Index reported that npm alone accounted for 99.8 percent of all open-source malware in the quarter.

These aren’t specifically agent attacks. They don’t have to be. Because agent ecosystems sit downstream of the underlying registries, every traditional software supply chain attack is now a potential agent supply chain attack with no extra effort required from the attacker. The traditional software ecosystem is the zoonotic reservoir. The next major agent supply chain incident will, with high probability, originate there — and it will be detected on the agent side, in production, by an agent doing exactly what it was designed to do.

Where the Analogy Breaks

The strongest objection is that software has properties biology doesn’t, and the model misses them.

Recovery, in biology, often confers lasting immunity. In software, “recovered” means “patched against this exploit,” and a patched system is wide open to the next one. Defending against postmark-mcp doesn’t help against ClawHavoc — the recovered compartment is pathogen-specific in software in a way it isn’t in biology.

Temporal compression also matters. Biological pandemics unfold over weeks to months; Shai-Hulud infected hundreds of packages in days. The compressed timescale makes real-time surveillance essential, though it does make after-the-fact analysis more tractable — you can examine the entire arc within a week.

And R₀ in biology is bounded by physical contact. Even measles, at R₀ of 12 to 18, is capped by how many people one person can be in a room with. Agent ecosystems have no such ceiling. The model imported from biology under-predicts the upper bound, which is the opposite of the kind of error a metaphor usually makes. The honest position isn’t that the analogy is perfect. It’s that the imperfections argue for more aggressive intervention, not less.

The Practical Insight

If you’re responsible for an agent fleet, three operational moves are available without waiting for new infrastructure.

Treat your registry list like a vaccine schedule, not an install list. The 80/20 rule of biological superspreading applies to registries too: a small number of them serve a disproportionate share of tool discovery queries. Inventory which registries your agents query, rank them by query volume, and pin the top decile to verified-source-only mode. ETDI-style cryptographic signing is the long-term goal; in the meantime, allow-listing the top ten registries closes most of the surface a single attacker can reach with one compromise.

Build runtime contact tracing. Static SBOMs cannot trace dynamic runtime composition. What you need is an append-only log of every tool invocation — agent identity, registry source, tool hash, timestamp — that you can query when a quarantine notice arrives. Certificate Transparency is the architectural model. The minimum viable version is a JSONL log written by an MCP middleware shim that intercepts every tool call. It’s a session of work, not a quarter, and it converts every future quarantine notice from “do we have this?” to “here’s exactly which agents touched it and when.”

Accept that voluntary defense adoption will not cross the herd immunity threshold. The vaccination paradox holds: organizations most likely to deploy ETDI-equivalent protections are the ones already security-conscious. The long tail won’t, because the perceived risk is low and the cost is voluntary. Population-level protection requires mandatory measures — registry-level signing, identity-verified publishing, runtime verification at the protocol layer. Until those exist, your defense is local, and the ecosystem’s defense is the agentic equivalent of pre-Jenner London. That’s a real argument for engaging with standards bodies and registry maintainers directly, not just hardening your own perimeter.

Coda

In 1854, John Snow mapped cholera deaths around the Broad Street pump and demonstrated that the disease was waterborne, not miasmic. The pump wasn’t London’s only contaminated water source — but it was the one whose contagion network could be measured, and showing the network changed the field.

The AI agent supply chain needs its Snow moment. The data exists: registry compromise rates, propagation traces, dormancy windows, the 19-to-1 gap between leak and exploit. What’s missing is the willingness to look at it through the right lens. Cybersecurity has imported “immune system” as a marketing term while ignoring the actual mathematics of infectious disease, which is the part that would help. R₀, herd immunity thresholds, SIIDR compartments, contact tracing, ring vaccination — these aren’t decorations. They’re the names of solved problems, and the field that solved them is willing to teach.

Sources: OX Security (“The Mother of All AI Supply Chains,” April 2026); ReversingLabs Annual Software Supply Chain Security Report (2026); Security Boulevard 2026 vulnerability statistics; Snyk & Koi Security (postmark-mcp, September 2025); Antiy CERT (ClawHavoc, February 2026); Snyk ToxicSkills audit; Sygnia Q4 2025 Supply Chain Report (Shai-Hulud); Guilmette et al., Applied Network Science (Springer, 2023); Palisade Research honeypot measurements (2025); PipeLab MCP testing (2026); GitGuardian 2026 audit; Sonatype Q4 2025 Open Source Malware Index; Datadog Security Labs (TeamPCP / LiteLLM); The Hacker News (dYdX phantom packages, February 2026; Socket / North Korea attribution, April 2026); OWASP ASI04 (2026); arXiv:2506.01333 (ETDI).