Developer Tools
Industry News
PostgreSQL 19 + pgvector: Skip the Vector DB?
PostgreSQL 19 hit feature freeze with native vector search. pgvectorscale and AlloyDB caching close the gap. When standalone vector DBs still earn their keep.
•4 min read
Three supply-chain breaches hit AI teams in 30 days — MCP, Axios npm, and Trivy. Here is what actually happened and a practical hygiene checklist.
Between March 31 and mid-April 2026, AI supply chain security stopped being an abstract worry and became a live operational problem. Three pieces of infrastructure that most AI teams depend on got compromised in quick succession — and the pattern matters more than any individual breach.
The first hit was the Axios npm package — a JavaScript HTTP client with roughly 70 million weekly downloads. Microsoft Threat Intelligence attributed the compromise to Sapphire Sleet, a North Korean state actor. Two malicious versions shipped, and a second-stage RAT deployed differently depending on whether the compromised device ran macOS, Windows, or Linux. If your Node or TypeScript stack bumped versions in that window, you were in scope.
Next came Trivy, the open-source vulnerability scanner maintained by Aqua Security. A group known as TeamPCP compromised Trivy through GitHub Actions and container images, injecting credential stealers into the release pipeline. The tool most teams use to find CVEs was, for a brief moment, shipping them.
Then OX Security disclosed a systemic RCE vulnerability in the Model Context Protocol itself — the protocol that now sits underneath most agent-to-tool communication. They estimate 150 million downloads of affected implementations, 7,000+ publicly reachable servers, and up to 200,000 vulnerable instances in the wild.
Three different attackers. Three different entry points. One unmistakable pattern.
Before MCP, an AI integration usually meant a model calling a narrow, custom API with a short allowlist of actions. Compromise was bounded by whatever that API could do.
MCP changed that. It standardised tool discovery and invocation — which is exactly what made it useful, and also what makes this vulnerability different. An agent that can call any MCP server can call a compromised one. And because MCP servers often expose broad, coarse-grained capabilities — file system access, shell execution, API keys, chat history, internal databases — a single RCE is closer to domain admin than it is to a scoped bug.
The blast radius is not just the server you ran. It is every tool that agent could reach, every secret it touched, every document it had permission to read.
That is the uncomfortable part of the OX Security disclosure. It was not a bug in one implementation. It was a systemic weakness in how MCP servers are being deployed, which means remediating it is a policy problem, not a patch.
The Axios and Trivy breaches are not new in kind. npm has been a soft target for years. GitHub Actions has been compromised repeatedly. What is new is the combination.
AI teams ship more dependencies than most software teams. A typical agent backend pulls in LangChain or Semantic Kernel, an MCP runtime, a vector client, an HTTP client, a tokenizer, an observability SDK, and three or four LLM provider libraries. Every one of those is a potential delivery vehicle.
Wrap that in a container, push it through GitHub Actions, let Trivy scan it, and deploy. Each step in that pipeline had a public incident this month.
The takeaway is not that npm or Actions or MCP are inherently unsafe. It is that the build is now the attack surface. An attacker who owns your build does not need to phish anyone, does not need to find an app-level vulnerability, does not even need to write exploit code — they just need to wait for your next CI run.
This is not a full SSDF implementation. It is what we would push for inside the first week of a review.
Pin versions. Everything — npm packages, container base images, MCP servers. Caret and tilde ranges have to go. Use exact versions and review bumps consciously.
Require SLSA attestations or equivalent on anything that runs in production. npm and GitHub both support this now. Your CI can fail builds that pull unsigned artifacts.
Isolate CI runners by blast radius. The runner that builds your agent should not share credentials with the runner that deploys your database migrations. If one gets compromised, the other should not be able to reach production.
Segment MCP servers. Treat each one as a scope of privilege. A tool server that reads Slack should not have credentials for your production database. Most teams wire them together because it is easier — fix that this quarter.
Rotate anything that touched production since March 31. API keys, signing keys, service account credentials. If you cannot prove a secret was never exposed to a compromised build, treat it as burned.
If we were kicking off a new AI integration this week, three things would change.
We would run MCP servers in sandboxed runtimes with explicit capability lists — not "whatever the container can do," but an allowlist per tool. Most current MCP deployments do not do this. Most should.
We would move supply-chain attestation left. That means SLSA provenance generated at build, verified at deploy, and enforced at the runtime admission controller. It is not exotic anymore — cosign, Sigstore, and the major registries all support it.
And we would assume at least one of our dependencies is already compromised at any given time. Security is not a checklist you finish; it is a posture you maintain. The April 2026 incidents do not change what good looks like — they just make the cost of ignoring it visible.
Shipping AI agents and your supply-chain playbook still fits on a napkin? We will map your MCP, npm, and container attack surface and send back a prioritised fix list. Book a free 30-minute strategy call.
We'll map your MCP, npm, and container attack surface and send back a prioritised fix list.
Continue exploring these related topics
PostgreSQL 19 hit feature freeze with native vector search. pgvectorscale and AlloyDB caching close the gap. When standalone vector DBs still earn their keep.
Clawdbot is an open-source, self-hosted AI assistant with persistent memory and automation. Run it locally and connect WhatsApp, Telegram and Slack.
Discover Claude Coworker, Anthropic’s new AI feature that helps automate work tasks and manage files like a virtual coworker. Research preview now available.