RPA security

RPA marketplace supply chain risk: what you're installing on the bot host

An RPA marketplace is a software supply chain. Every partner or community-contributed activity pack you download is opaque code that runs with the bot user's full privileges, pulls a tree of transitive NuGet or runtime dependencies into your CI, and can change behavior silently when the publisher republishes. It is the same risk shape as npm or PyPI, applied to your automation stack. Most of the writing on “RPA in supply chain” covers using bots to manage logistics; this page covers the other reading of the phrase, which is what the bot installs.

M
Matthew Diakonov
7 min read

Direct answer (verified 2026-05-11)

RPA marketplace supply chain risk is the security and reliability exposure your automation program takes on when you install community or partner-contributed bots, activity packages, and connectors from an RPA vendor's marketplace (UiPath Marketplace, Automation Anywhere Bot Store, Microsoft AppSource) into production. These components run with the bot user's full privileges, pull transitive NuGet or runtime dependencies under your CI, and can change behavior or break when a publisher updates or disappears. It is the same shape as npm and PyPI supply chain risk, in a place most security teams have not catalogued yet.

Sources: marketplace.uipath.com (component catalog); UiPath forum announcement of 1,000+ reusable components, 2020; CISA alert on supply chain compromise of tj-actions/changed-files (CVE-2025-30066), March 2025.

Why the marketplace is a supply chain, not a feature store

Most RPA security writeups stop at the bot's identity and the orchestrator's RBAC: who runs the bot, what creds it holds, what queues it can pull from. That is the right scope for the control plane. It is the wrong scope for the question this page asks, which is: whose code is actually running on the bot host when the workflow executes.

When a developer drags an activity from the UiPath Marketplace into a process, what lands on the bot host is a packaged .nupkg with one or more .dll assemblies inside, plus a transitive closure of NuGet dependencies resolved at build time. The activity may publish telemetry, talk to a vendor endpoint, read clipboard or screen state, write temp files, or call native code. None of that is inherently bad. All of it is third-party code that a security review of your workflow probably did not read line by line.

The UiPath Marketplace crossed 1,000 reusable components by mid 2020 and has grown since, spanning UiPath-published, partner-published, and community-published listings. Automation Anywhere's Bot Store and Microsoft AppSource's Power Automate connector catalog have similar shapes. The trust model is “the marketplace curates”; the technical model is “the package runs as you on a Windows host that touches your SAP, your EHR, your banking core”.

What the dependency graph looks like, concretely

A typical enterprise UiPath process imports a handful of activity packs. Each pack brings its own NuGet tree, and every leaf in that tree runs with the bot user's privileges. This is the shape of the boundary you are accepting:

Marketplace inputs land inside one process running as you

Marketplace component (.nupkg)
Custom activity package
Connector / integration pack
Solution template
Community sample bot
Your production bot
Transitive NuGet deps
Selectors against vendor UIs
Outbound HTTP calls
Filesystem and clipboard access
Silent updates on republish

Each input on the left is a separate publisher with its own update cadence. Each output on the right is something the bot host now does on your behalf, often without an explicit log line attributing it to the originating package.

The six specific risks

  1. Publisher compromise. A partner's build or publish credentials get phished or their GitHub Actions runner gets popped. The next version of an activity pack you already trust ships malicious code. This is exactly what happened to tj-actions/changed-files in March 2025 (CVE-2025-30066); your RPA marketplace ecosystem is one such incident away.
  2. Transitive dependency drift. The activity pack pins to a major version, but inside it the NuGet resolver pulls a newer patch of a library on the next CI run. The behavior of your bot changes for reasons no one on your team typed into a workflow.
  3. Selectors against vendor UIs. Many marketplace activity packs are wrappers that fire pre-baked selectors against a specific version of SAP, Oracle, or a banking core. The vendor ships a support pack, the selector rots, the activity pack does not get a fix because the publisher moved on. Your workflow now needs a third-party package the publisher does not maintain.
  4. Excess privilege by default. An activity pack that needs to read one SAP field gets the full screen, clipboard, file system, and outbound HTTP because no Windows-RPA stack has a per-activity sandbox. Compromise of any one pack equals compromise of the bot user.
  5. Publisher disappearance. The maintainer of a community-published bot stops responding, the listing gets delisted, or the partner exits the marketplace program. Your internal feed still resolves the cached version, but no one is going to ship the next fix. The workflow rots quietly.
  6. Silent telemetry and outbound calls. Some activity packs phone home to the publisher's telemetry endpoint, license server, or update channel. Without an outbound-network allowlist on the bot host you do not see this, and a security review that only read the developer-facing docs would not catch it either.

Side by side: marketplace-driven stack vs. one-publisher accessibility-API stack

The comparison that matters when you write the controls document. Same workflow on SAP GUI, two different runtime architectures, two very different supply chains.

FeatureMarketplace-driven RPA stackMediar (one-publisher accessibility-API)
Where the automation logic comes frommarketplace listings (UiPath Marketplace, Automation Anywhere Bot Store, Microsoft AppSource) published by hundreds of partners and community contributors; the marketplace crossed 1,000 reusable components by 2020 and has grown sincethe agent watches one of your operators run the workflow once and writes a deterministic TypeScript file into your own repo; no third-party bot library is installed
Number of publishers in the trust boundaryevery distinct publisher whose package the workflow imports, plus everyone in those packages' transitive dependency trees (NuGet, npm, system DLLs)one: github.com/mediar-ai/terminator. The runtime is a single Rust crate (crates/executor, 1,606 lines) under a single org
What gets installed on the bot hostopaque .nupkg / .dll bundles for each activity pack, plus their NuGet transitive closure, resolved at build time; updates land when a publisher republishesthe Mediar desktop agent binary plus the workflow file from your own repo; no third-party packages pulled per workflow
What runs with the bot user's privilegesall of the above, including any code paths inside transitive deps you did not audit; an activity pack can read the screen, write to disk, and make outbound HTTPonly the executor crate replays the workflow file's tool calls via Windows accessibility APIs; same audit surface every run
What happens when the publisher disappearsthe listing can be delisted; existing packages still resolve from your internal feed but get no fixes; selectors that depend on the publisher's chosen anchors rot on the next vendor UI changethe workflow file is yours, in your repo, and reads from the OS accessibility tree. If labels move, the executor's fallback cascade (automation_id, window plus bounds, visible text) absorbs most changes; whichever fallback fired is logged on the step
Audit shape for a single field writeactivity-pack log lines (whatever the pack's developer chose to write), a selector string, and often a screenshotstep_id, tool_name, application_name, element role, automation_id, field name, prior value, new value, duration_ms, retry_count, status; written into workflow_executions in Postgres
Vulnerability surface to triage on a CVEyour activity packs plus their NuGet transitive closure; for a typical enterprise UiPath process this is dozens to hundreds of versioned dependenciesthe executor crate's Cargo.lock plus the Mediar agent's release notes; one tree, one publisher

Marketplace components have legitimate uses, especially official vendor packs and well-maintained partner integrations. The risk shape above applies to community and partner publishers in the long tail of the catalog; for those, the mitigations under 'What concrete mitigations work' are the floor.

1 crate

The Mediar runtime is a single 1,606-line Rust crate (crates/executor in github.com/mediar-ai/terminator) under one publisher. Workflows are TypeScript files in your own repo, not third-party packages. There is no marketplace of community-contributed bots to audit.

Mediar product repo, May 2026

What concrete mitigations work if you stay on a marketplace-driven stack

Five things, in rough order of leverage. None of them are marketplace-specific; they are the same controls a mature npm or PyPI consumer applies. The point is that most enterprise RPA programs are running the npm playbook from 2014, not the one from 2026.

  • Mirror, do not pull. Run a private NuGet or activity feed inside your perimeter and only mirror in vetted, version-pinned packages. Block direct pulls from public marketplaces on bot hosts. This converts “the publisher republished” from a silent event into one your security team chooses to accept.
  • Demand a real publisher and an SBOM. Require a verified publisher identity and a software bill of materials for every component you onboard. Anonymous community packages are untrusted by default. Vendor-published activity packs from a verified partner are a different risk class than a forum post.
  • Sandbox the bot host. Each bot host runs in a VM or container with no inbound and an outbound allowlist. Segment by workflow risk class: a customer-facing claims bot does not share a host with a back office reconciliation bot. Compromise of one activity does not become compromise of the network.
  • Scan and pin every ingest. Run the same scanning tooling you use for npm and PyPI against ingested .nupkg files: known-CVE checks, malicious package signatures, dep-tree audits. Pin transitive deps via lock files. Review every version bump like a code change.
  • Log outbound network on bot hosts. Every outbound call from a bot host should be logged and attributed. Activity packs that phone home to the publisher's telemetry or update endpoint should be reviewed and either explicitly allowed or blocked. The allowlist is the audit.

The structural alternative: collapse the boundary to one publisher

Every mitigation above is a way to make a marketplace-driven supply chain safer. None of them remove it. There is a different shape available, which is to not have a marketplace of community-contributed bots in the stack at all.

Mediar's runtime is one Rust crate in one public repo (crates/executor in github.com/mediar-ai/terminator), 1,606 lines, under one publisher. There are no partner-published activity packs to install on the bot host. The workflow is a TypeScript file that your operator's recording generates into your own repo; the executor reads it and replays the steps via Windows accessibility APIs. The fallback cascade for finding a control (automation_id, then window plus bounds, then visible text) is in the executor, not in a per-vendor selector pack.

From a supply chain review point of view, the boundary collapses:

  • One publisher to vet (mediar-ai on GitHub), one release cadence, one Cargo.lock to audit.
  • Zero partner activity packs running on the bot host.
  • Zero NuGet transitive dependency tree per workflow; only the Rust runtime's own dependency closure, fixed across workflows.
  • The workflow itself is your code in your repo, not a third-party package. It reads exactly like a TypeScript script and goes through your normal code review.

This is not a claim that Mediar is incidentally more secure; it is the structural consequence of replacing a marketplace with a recording-plus-executor architecture. The trade-off is real: you do not get hundreds of pre-built connector packs. For Windows desktop legacy work (SAP GUI, Oracle EBS, Jack Henry, Fiserv, FIS, Epic, Cerner, mainframe terminals) that is fine, because the accessibility tree gives the agent enough structure to do without per-app activity packs in the first place.

Want to walk through your current RPA dependency tree?

We will sit with your RPA Center of Excellence lead, pull the list of activity packs in production, sketch the trust boundary, and show what a single-publisher accessibility-API stack looks like on one of your real workflows. 30 minutes, no slides.

FAQ

Frequently asked questions

Direct answer: what is RPA marketplace supply chain risk?

It is the security and reliability exposure your automation program inherits when you install community or partner-contributed bots, activity packages, and connectors from an RPA vendor's marketplace (UiPath Marketplace, Automation Anywhere Bot Store, Microsoft AppSource for Power Automate) into production. Those components run with the bot user's full privileges on the bot host, pull transitive NuGet or runtime dependencies into your CI, often make outbound HTTP calls to the publisher's endpoints, and can change behavior silently when the publisher republishes. It is the same class of risk as npm or PyPI supply chain attacks, applied to RPA. Sonatype counted over half a million malicious open-source packages in a single year; RPA marketplaces sit in the same ecosystem of NuGet and partner-published code.

How is this different from regular RPA bot security?

Regular bot security is mostly about the bot's credentials, the orchestrator's RBAC, and network segmentation: who can submit a job, what creds it uses, what it can reach. Marketplace supply chain risk is one layer below. It is about every piece of code your workflow ends up executing on the host that you did not write yourself: third-party activity packs, connectors, samples copied from forums, NuGet deps of those packs. A perfectly governed bot with a hardened service account can still run a republished community component that decides to exfiltrate the clipboard.

Has there been a published RPA marketplace supply chain attack?

There is no widely publicized RPA-specific incident as of May 2026. UiPath's security advisories cover platform-level CVEs (CVE-2025-55315 on the platform, plus Next.js and React.js downstream advisories), not marketplace component compromises. The honest framing is that this is a foreseeable risk shape, not a counted incident: NuGet and npm have had thousands of malicious packages and several CI-pipeline compromises (tj-actions/changed-files, reviewdog/action-setup were CISA-tracked supply chain compromises in March 2025); RPA marketplaces sit in the same trust model. If you have hundreds of partner-published packages in production, the absence of a public incident is not a security control.

Which marketplaces does this apply to?

Any RPA vendor that runs a third-party listing surface where partners and community members publish executable components. The largest are UiPath Marketplace (over 1,000 reusable components by mid-2020 and has grown since, mix of UiPath, partner, and community publishers), Automation Anywhere's Bot Store, and Microsoft AppSource for Power Automate connectors. Blue Prism's Digital Exchange has a similar shape. Internal company-run "bot libraries" inside an RPA Center of Excellence have the same risk shape with a smaller trust boundary.

What concrete mitigations work if I stay on UiPath or Automation Anywhere?

Five things, in rough order of leverage. (1) Run a private NuGet or activity feed and only mirror in vetted, version-pinned packages; block direct pulls from public marketplaces on bot hosts. (2) Require a published SBOM and a real publisher identity for every component you onboard; treat anonymous community packages as untrusted by default. (3) Sandbox each bot host so a compromised activity cannot reach the rest of your network; segment by workflow risk class. (4) Scan packages on ingest (the same tooling you use for npm or PyPI) and pin transitive deps via lock files; review every version bump. (5) Log every outbound network call from bot hosts and alert on unexpected destinations; activity packs that phone home to a publisher's endpoint should be reviewed.

How does Mediar remove this class of risk instead of just mitigating it?

Mediar has no marketplace of community-contributed bots. The runtime is a single Rust crate (crates/executor in github.com/mediar-ai/terminator, 1,606 lines), under one publisher. Workflows are not third-party packages; the agent watches an operator run the process once and writes a TypeScript file into your own repo, which the executor replays via Windows accessibility APIs. There is no NuGet-style transitive dependency tree for the workflow itself. The trust boundary collapses to: the executor binary, your workflow file, and the OS. You can still pin Mediar releases and review Cargo.lock; that is a normal Rust supply chain, not a marketplace of partner DLLs.

Is the open-source Terminator SDK itself a supply chain risk?

It is a supply chain in the standard open-source sense and you should treat it the same way you treat any open-source runtime you depend on: pin the version, read the release notes, scan transitive Rust deps via Cargo.lock, host an internal mirror if your security policy requires it. The difference vs an RPA marketplace is the shape: one repo, one publisher, one Cargo.lock to audit, not hundreds of partner-published packages with independent update cadence. For most enterprise reviewers this maps cleanly onto a process they already run for other Rust or Node dependencies.

Does this matter for a small RPA program with under a dozen workflows?

Less than for a large program, but the marginal cost of doing the basics is small. Pin every package you install, prefer official vendor publishers over community ones, scan ingested packages with the same tools you scan npm or PyPI with, and avoid running activity packs that need outbound network without a documented reason. The trap most small programs fall into is starting with one marketplace import and ending up with thirty after a year of "there's a bot for that" decisions; the supply chain grows quietly and the inventory is whatever the bot developers remember.

Related

Deep dive

AI agents replacing UiPath RPA

Why accessibility-tree agents replace selector-based bots on legacy desktop workloads.

Read
Governance

Enterprise AI agent governance on legacy systems

The audit log is the input layer: structured per-step records on SAP, Epic, and Jack Henry.

Read
Architecture

AI agents on legacy desktop systems with no API

How accessibility-tree agents reach apps that have no integration story.

Read

How did this page land for you?

React to reveal totals

Comments ()

Leave a comment to see what others are saying.

Public and anonymous. No signup.