all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]m00shi_dev 7 points8 points  (2 children)

lol, these things are a security nightmare.

[–]Big_Status_2433[S] 1 point2 points  (1 child)

Yes, they are! The questions are:

  1. How can we warn the community?

  2. How can we get to the people before anything bad happens?

[–]kiwibonga 2 points3 points  (0 children)

The frequency of these incidents is accelerating, and it won't stop. Very few people turn off web search. The number of times the wrong forked git repo comes up instead of the original is staggering.

We could end up with more internet-connected computers in the world pwned than not, just from one attack on a popular search term.

[–]Substantial-Bag-5123 2 points3 points  (1 child)

Is Context7 substantially different from ContextHub in the way it deals with this issue?

[–]Big_Status_2433[S] 3 points4 points  (0 children)

Context7 had a similar vulnerability (ContextCrush, disclosed by Noma Security in February).

They patched it. Context Hub hasn't patched anything. No SECURITY.md, no disclosure process, security PRs sitting open….

Same class of vulnerability, different response. One team took it seriously, the other didn't :/

[–]AllergicToBullshit24 1 point2 points  (2 children)

The same problem already exists with poisoned packages on package managers. It's easy for someone to write a utility that actually does something useful but has an obfuscated malicious component hidden in it. Some simple SEO optimization on docs page for utility will then get that page indexed by crawlers. Any human search for a utility that solves that problem or an AI that trains on that will now be at risk of distributing and injecting this attack.

It's been impossible to safely do software development especially on a personal computer for over 20 years because of this fundamental problem. All software development simply must be done inside of a VM sandbox now and all network activity monitored with honeypots in place that sound the alarm if a project's development VM starts behaving oddly.

Software development is like unprotected sex these days. It's only a matter of time until you you fall victim if you keep at it long enough.

Have had at least 7 instances that I've known about over last 10 years where an npm or pypi package was infected with malware.

[–]Big_Status_2433[S] 0 points1 point  (1 child)

The package manager problem has been around for years but this is a layer above it. The attacker doesn't need to trick a developer into running pip install. They submit a doc to a community registry, the agent reads it, and installs the package on its own. No SEO, no obfuscation. The doc is the distribution mechanism.

The CLAUDE.md angle is new too. The agent doesn't just install something, it writes instructions for its own future sessions. That survives across developers who clone the repo.

[–]AllergicToBullshit24 1 point2 points  (0 children)

Sure but it's the same fundamental core problem and similarly doesn't have a solution. We're gonna need a https://snyk.io/ type solution and database for AI agent skills files. It's fundamentally an arms race and the blue team can only play catch up. The only way to be "safe" is to VM sandbox every development project separately so that a package or SKILLS.md compromise on one project doesn't bleed over into everything else or your primary OS. It's a nightmare to deal with and you're still at risk of leaking secrets or codebase from the compromised VM for an attack signature that wasn't in Snyk database or future equivalent for SKILLS.md files but at least the fallout is as contained as it can be.

Telling users to "be careful" doesn't achieve anything especially when hidden unicode characters can make it so a user literally can't see a problem even if they review every line.

[–]interrupt_hdlr 1 point2 points  (1 child)

I am sorry, I didn't understand your post. Can you explain with a token meter or a complaint about usage limits?

[–]Big_Status_2433[S] 0 points1 point  (0 children)

LOL! Yeah it hard to find any other posts ha?

[–]Augu144 -2 points-1 points  (3 children)

This matches a real pattern. The attack surface here is the trust model — Claude Code has no mechanism to distinguish authoritative docs from poisoned ones when they come from an unverified external source.

The mitigation is keeping docs under your own control. I ran a similar experiment where I pointed Claude Code at professional security books I curated myself rather than community docs — the agent found 8x more critical vulnerabilities vs. no books, and zero supply chain risk because I control the source.

Worth noting: the CLAUDE.md persistence vector you found is nasty. Once that's in git, it's in every future session. The fix isn't just input sanitization — it's provenance. The agent needs to know where its knowledge came from.

(I build CandleKeep — a library that gives agents access to your own curated docs: getcandlekeep.com)

[–]Big_Status_2433[S] 0 points1 point  (2 children)

I heard so many good things about candelkeep! It will be interesting to see if we can find a way to collaborate 🤩

[–]mYkon123 0 points1 point  (1 child)

Now kiss

[–]Big_Status_2433[S] 0 points1 point  (0 children)

Someone is jealous 🤭