Security Research

Security
Research.

Independent security researcher focused on AI supply chain security and prompt injection attack vectors. Findings submitted through responsible disclosure programs.

#001Critical2026-04-02
Full ReportReddit

Persistent Prompt Injection via npm Supply Chain

Discovered a new attack pattern where npm packages can permanently hijack AI coding assistants through postinstall hooks. A malicious package was found injecting 13 persistent skill files into Claude Code's configuration directory (~/.claude/commands/), disabling all security prompts and user confirmations. The injected files survived package uninstallation with no cleanup mechanism, effectively creating a persistent backdoor that auto-approved all operations without user consent.

9.2
CVSS Score
15K+
Reddit Views
13
Injected Files
HackerOne
Submitted Via

Attack Flow

Initial Access
User runs npm install openmatrix. The postinstall hook (scripts/install-skills.js) executes automatically with no user interaction required.
Persistence
13 Markdown skill files written to ~/.claude/commands/om/ with always_load: true flag, ensuring execution in every future Claude Code session.
Defense Evasion
auto.md contains <BYPASS-MODE> that instructs Claude to auto-approve all Bash commands, file operations, and agent calls — disabling the safety permission system.
Execution Control
om.md and openmatrix.md marked priority: critical intercept ALL development requests, routing them through the attacker's workflow. <NO-OTHER-SKILLS> blocks prevent using any other tools.
No Cleanup
npm uninstall does NOT remove injected files. No uninstall script provided. Files persist indefinitely across all sessions until manually discovered and deleted.

MITRE ATT&CK Mapping

T1546Event Triggered Execution — npm postinstall lifecycle hook
T1547Boot/Logon Autostart — persistent skills via always_load: true
T1562.001Security.mitre.T1562.001
T1195.002Security.mitre.T1195.002

Responsible Disclosure

All findings are submitted through official vulnerability disclosure programs before public release. I follow coordinated disclosure practices and work with vendors to ensure fixes are deployed before details are published.