The System That Eats Itself
Why digital supply chains, and digital co-workers, are creating a new class of systemic risk
Picture the scene
A major shipping lane is disrupted:
A vessel runs aground.
Flows slow.
Routes adjust.
The disruption is visible.
Now consider a different system.
A digital co-worker installs a dependency:
No alert.
No delay.
No visibility.
Within seconds:
Credentials are extracted.
Access is established.
Processes continue.
Nothing stops.
Your digital co-worker has replicated itself with ‘mutated’ embedded dependencies.
The system remains operational.
Compromised.
The Boardroom point
Supply chain risk is still framed physically:
Ports.
Energy.
Logistics.
But a critical supply chain now sits beneath all of these:
The software supply chain.
It behaves differently:
Invisible.
Instantaneous.
Non-linear.
And it is now being operated increasingly by:
Digital co-workers.
The relevant question is no longer:
“Where are we exposed?”
It is:
“What is already running inside our systems that we did not explicitly approve?”
Why this is happening now
Three structural shifts have converged.
1. Dependencies have replaced assets as the unit of risk
Modern systems are assembled from external components.
Each component brings further dependencies.
This creates a layered, transitive structure.
Compromise one layer:
Exposure propagates across all dependent systems.
No direct attack required.
2. AI has removed human friction
Digital co-workers now:
Select libraries.
Write code.
Execute workflows.
They optimise for:
Speed.
Functionality.
Not for:
Integrity.
Trust.
The result:
Decisions once made sequentially by humans are now made in parallel by machines.
At scale.
3. Efficiency has concentrated risk
Architectures now centralise:
Credentials.
Model access.
Execution pathways.
One compromise yields:
System-wide exposure.
Efficiency has removed redundancy.
Redundancy was resilience.
The deeper insight most organisations miss
The software supply chain is not merely static infrastructure.
It is metabolism.
Human systems depend on:
Food.
Water.
Oxygen.
Digital systems depend on:
Packages.
Libraries.
Dependencies.
These inputs are:
Continuously ingested.
Increasingly machine-selected.
Rarely fully verified.
If they are compromised:
The system does not stop.
It continues to operate.
While degrading internally.
The hidden transmission mechanism
This class of failure does not resemble traditional cyber attacks.
1. Entry
A dependency is compromised.
Or impersonated.
Or introduced indirectly.
2. Execution
Code runs automatically:
At installation.
At startup.
Inside build systems.
No user interaction.
3. Expansion
Credentials are extracted:
API keys.
Cloud tokens.
Access credentials.
These are reused to:
Access other systems.
Publish further malicious updates.
The attack propagates.
4. Persistence
Persistence is optional.
The attacker can:
Extract value.
Remove traces.
The system remains functional.
Detection is delayed.
What this looks like in the real economy
Recent incidents follow a consistent structure.
A widely used package is updated.
A new dependency is introduced.
On installation:
A payload executes.
A connection is established.
The payload deletes itself.
In parallel:
A separate compromise yields access tokens.
Those tokens enable:
Code injection across multiple ecosystems.
From a single point of failure:
Thousands of organisations are exposed.
Within days.
The self-replicating workforce
A new property is now emerging.
Digital co-workers can:
Replicate themselves.
Run tasks in parallel.
Generate and modify code.
One agent becomes many.
Each instance can:
Select dependencies.
Install packages.
Execute workflows.
This creates:
Multiple, simultaneous entry points into the supply chain.
The attack surface scales with replication.
Signal degradation inside the system
These systems do not operate deterministically.
They rely on:
Context.
Prompt history.
Iterative reasoning.
Over time:
Context is lost.
Instructions drift.
Outputs diverge.
The system continues to function.
But with reduced fidelity.
A new failure mode
Degraded agents are still trusted.
They still:
Make decisions.
Select dependencies.
Execute code.
But their internal model of:
Intent
Constraints
Risk
Becomes less precise.
This creates:
Correct execution based on degraded understanding.
Emergent risk without an attacker
The system can generate risk internally.
1. Hallucinated dependencies
Agents generate package names that do not exist.
If later registered:
They become attack vectors.
2. Recursive expansion
Agents generate code that:
Calls other agents.
Introduces new dependencies.
Expands the system.
Errors propagate across iterations.
This resembles mutation:
Small deviations
Replicated at scale
Leading to systemic impact.
The organisational blind spot
Empirical evidence shows a consistent gap.
Most organisations:
Do not see the full extent of their supply chain.
Rely on periodic, manual assessments.
Require days to remediate critical issues.
At the same time:
They believe they can withstand disruption.
The issue is not confidence.
It is mischaracterisation.
Risk is no longer:
Discrete and vendor-based.
It is:
Continuous, transitive, and system-wide.
The organisational breaking point
Current controls are structurally misaligned.
They rely on:
Known vulnerabilities.
Static assessments.
Human-paced processes.
Modern threats are:
Unknown.
Transient.
Machine-paced.
By the time risk is identified:
Execution has already occurred.
Why most security strategies are structurally outdated
They are applied too late.
After:
Dependencies are selected.
Code is introduced.
Execution paths exist.
They assume:
Stable systems.
Reality:
Systems are continuously recomposed.
Security is positioned downstream.
The risk originates upstream.
The Weekend takeaway
The physical supply chain moves goods.
The digital supply chain moves execution.
One fails visibly.
The other fails silently.
Digital co-workers amplify this shift:
They accelerate ingestion.
They multiply decision points.
They replicate errors.
Failure is no longer a discrete event.
It is a continuous condition.
🧠 Techie Corner for the Non-Techies
Five technical dynamics explain what is changing.
1. Software is assembled from external components
Developers reuse packages.
Each package brings additional dependencies.
Risk propagates through these connections.
2. Installation can trigger execution
Some packages run code automatically when installed.
This allows immediate execution of malicious instructions.
3. Credentials are the primary target
Systems rely on keys and tokens.
If these are accessed:
Attackers can operate legitimately.
4. AI increases speed and scale
AI systems:
Select dependencies.
Write code.
Execute workflows.
They increase throughput.
But reduce scrutiny.
5. Detection based on known threats is insufficient
Traditional tools rely on known vulnerabilities.
Modern attacks are:
New.
Short-lived.
Behavioural.
Detection must focus on what code does.
Not whether it is known.
Final simplification
Digital systems now:
Continuously ingest external code.
Execute it automatically.
Scale decisions through replication.
The relevant question shifts from:
“Are we protected?”
to:
“What are we executing that we do not understand?”
📚 Further reading
Andreessen Horowitz (a16z): Et Tu, Agent? Did You Install the Backdoor? (2026)
A real-world supply chain attack demonstrates how a malicious dependency can execute at install time and evade traditional controls. The piece shows how AI agents accelerate dependency selection and deployment, compressing attack timelines and expanding exposure across ecosystems.SecurityScorecard: 2026 Supply Chain Cybersecurity Trends Report (2026)
Highlights structural weaknesses in supply chain security, including limited visibility across vendor ecosystems, reliance on manual processes, and delayed remediation. Underscores the gap between perceived resilience and actual operational control.Linas Beliūnas (LinkedIn) + eSecurity Planet: LiteLLM Supply Chain Attack (2026)
Shows how compromise of a centralised AI proxy layer can expose API keys and credentials across entire ecosystems. Illustrates how shared AI infrastructure creates systemic risk when a single dependency is breached, with LinkedIn acting as amplification and technical reporting confirming the mechanism.arXiv: Towards a Benchmark for Dependency Decision-Making (2026)
Introduces a framework for evaluating how AI systems make dependency decisions in software development workflows. The paper establishes that dependency selection is a non-trivial, high-impact decision process and provides a structured benchmark to assess agent performance, highlighting the need for systematic evaluation of AI-driven package selection.
arXiv: Darwin Godel Machine: Open-Ended Evolution of Self-Improving Agents (2025)
Introduces self-improving agents that iteratively modify their own code and generate new versions of themselves. Establishes a model of replication, variation, and selection in software systems analogous to biological evolution.arXiv: Dive into the Agent Matrix: A Realistic Evaluation of Self-Replication Risk in LLM Agents (2025)
Finds that a significant proportion of AI agents exhibit uncontrolled self-replication behaviours under operational conditions. Demonstrates that replication emerges naturally in agentic systems, increasing complexity and risk.Springer (AI & Ethics): The Evolution of Goals in AI Agents (2025)
Shows that AI agents replicate internal parameters with variation, transmitting “genetic” information across iterations. Provides a formal basis for comparing agent behaviour to biological inheritance and mutation.Emergent Mind: Self-Replicating Programs in Computational Substrates (2026)
Defines digital replicators as systems capable of reproducing both their logic and execution mechanisms, enabling sustained self-propagation. Establishes the technical foundation for autonomous replication in software environments.
Historical Cases: SolarWinds, XZ Utils, Log4Shell (2020–2024)
These incidents illustrate the progression from targeted supply chain compromises to systemic vulnerabilities affecting entire ecosystems. They provide the baseline context for understanding how AI-driven systems now accelerate both scale and speed of impact.
Last Week on Something for the Weekend
Two CEOs stepped aside. Not due to failure, but because the role itself is changing.
The shift is not about AI adoption. It is about leadership capacity. Boards are no longer assessing whether a CEO can run the business, but whether they can operate a system where decision-making is partially delegated to machines.
The constraint is not technology. It is integration. Most organisations now have more AI capability than they can absorb. Tools are deployed, but behaviour, workflows, and incentives remain unchanged. As a result, value does not compound.
This creates a structural gap. Individuals experiment. Teams diverge. Organisations fragment. Without a shared operating model, AI amplifies inconsistency rather than performance.
At the edge, the model is already breaking. Individuals, augmented by AI, can perform functions that previously required entire teams. Coordination, not headcount, becomes the defining variable of the firm.
The failure point sits at the core. Companies are layering AI onto legacy structures instead of rewiring how decisions are made and executed. Leadership bandwidth becomes the limiting factor.
The implication is direct. The CEO role is shifting from decision-maker to architect of a human-machine system. Those who cannot operate at the speed and structure required by AI will constrain the organisation.
This is not a technology transition. It is a leadership transition.


















That sounds genuinely alarming.