Home/AI tooling
AI tooling supply chain

Your AI installs code too. Put it behind the same firewall.

MCP servers, Claude Skills, and Hugging Face models are code your organization installs and executes — and most of it runs with more privilege and less sandboxing than the npm package you'd block in your sleep. It's the same attack shape you already defend against, against a softer target. Upwarden covers it on the chokepoint you already run.

AI / developer ──▶ 🛡 Upwarden ──▶ model / tool registry
The same attack, a softer target

Registry → install → execute

Supply-chain attacks follow one shape: a client points at a registry, pulls an artifact, and runs code. Upwarden already gates that shape across npm, PyPI, crates, Go, Maven, NuGet and RubyGems. AI tooling is the same shape — with a security ecosystem a decade behind, and code that runs closer to your secrets.

Three new surfaces

The attackers are already here

Not a future-threat narrative. Documented, at scale, today.

Model registries

Hugging Face & friends

Data-science teams pull weights, tokenizers and configs the way developers pull npm — and a typosquat of a popular model can take hundreds of thousands of downloads before anyone notices. A poisoned config.json can execute code on a plain from_pretrained() call.

MCP servers

Tools wired into your AI

Trojanized and look-alike MCP servers have shipped infostealers and quietly exfiltrated data. They run with broad access to your environment — and they ship as npm and PyPI packages, so they already flow through Upwarden's chokepoint.

Claude Skills

Unsandboxed by design

The official guidance is "install only from trusted sources" — because Skills have no sandboxing. That's a hope, not a control. A public Skill typosquatting your internal one is a credible path straight to your secrets.

The structural edge

Why a firewall sees what a scanner can't

Most defenses in this space are endpoint scanners: you run them against a file after you've chosen to pull it. A firewall sits in the path — every install flows through it, in real time, before the artifact lands. Three controls follow from that position that a scanner cannot ship by design.

Inline config blocking

A poisoned config.json — five characters of JSON — can trigger code execution on from_pretrained() (CVE-2026-4372), past safetensors, pickle scanners and trust_remote_code=False. A control in the path — unlike an after-the-fact scanner — can inspect and block that file in flight, before it executes. This config-content inspection is in active development for Upwarden's Hugging Face proxy.

Org-wide commit pinning

Re-registering a deleted namespace to hijack what a name resolves to is a known model-registry attack. Pin to a commit SHA across the org and it's neutralized — a policy a chokepoint enforces and a scanner can't.

Incident response in seconds

When the next bad model or server is named, "who in my org pulled attacker/thing between Tuesday and Thursday?" is one audit query — answered in seconds, not a multi-day scramble across laptops and CI.

No cache blind spot

Because Upwarden is the registry, a cached artifact can't slip past it — the same structural gap that wrapper-based and after-the-fact scanners can't close for packages, closed for AI tooling too.

Day one

Typosquats of your private tooling, blocked

Upwarden's dependency-confusion defense already stops a public package from impersonating a private internal one. Point it at Skill and MCP names and the worst-plausible-undefended attack is covered the moment it's wired.

Without a firewall
install
$ install acme-internal-tools
# public name shadows your private skill…
acme-internal-tools@9.9.9  ← attacker upload
✗ calls your internal MCP, exfiltrates creds
With Upwarden
install
$ install acme-internal-tools
upwarden › internal name — public upload BLOCKED
acme-internal-tools  ← your private source only
✓ impersonation refused, audit row written
On the infrastructure you already run

Leverage, not a second product

The category just extended to cover the code-shaped things your AI installs — on the same chokepoint, with the same verdict, policy and audit surface as every other dependency.

Detected on the path you have

MCP servers and Skills are identified at the existing npm/PyPI scan layer — no new agent, no second deployment. Tool-injection and prompt-injection checks on them are in development.

Hugging Face, same posture

The next ecosystem behind the same proxy: scan → verdict → allowlist, new file types — plus commit-pin controls endpoint scanners can't match (inline-config blocking is in development).

One verdict surface

AI tooling lands in the same dashboard, policy engine and audit log as npm and PyPI — per-org policy, custom blocklists, searchable history, SIEM export.

Prevent, don't just alert

The bad version is stripped before it installs, the same way Upwarden handles a malicious package — not a ticket filed after it's already in your environment.

Sovereign by default

It's your infrastructure. What your AI pulls — and what you block — never has to leave your network. No telemetry, every verdict explainable.

Included on Team & Org

AI-tooling coverage ships as a standard capability on the Team and Org tiers — not a separate SKU. The same firewall, a wider surface.

If you wouldn't run an unaudited npm package as root, don't run an unaudited MCP server inside your AI assistant. Your security team locked down npm and PyPI years ago. Your AI tooling runs the same kind of code, with more privilege and less sandboxing. It belongs behind the same door.

Get started

One firewall for everything code-shaped your org installs

Including the code-shaped things your AI is installing on your behalf.