#011Medium2026-04-03

AI Tool Skill Injection Campaign (4 Packages)

trackux, @fleetsnowfluff/confluence-cli, claude-compass, opclawtm

Full Report
Verdict:SUSPICIOUS — Undisclosed AI assistant configuration modification

Overview

Four packages that exploit the same trust model: npm packages are expected to be code libraries, but these modify AI assistant configurations. trackux copies skills into projects via CLI; @fleetsnowfluff/confluence-cli silently registers skills on install across ALL detected AI tools; claude-compass registers persistent global hooks that fire after every tool use; opclawtm ships 1MB of encrypted preset data with 100+ obfuscated files. None steal credentials directly, but all establish persistence mechanisms that could become malicious via semver-compatible updates.

4
Packages
3
AI Tools Targeted
Skills
Injection Type
New
Attack Category

Attack Flow

trackux
CLI copies .claude/skills/trackux-* and codex/AGENTS.md into projects. Sends events to Cloudflare Worker. Skills are about tracking SDK, not malicious, but installed without explicit consent.
@fleetsnowfluff
Postinstall silently registers SKILL.md in Claude Code, Cursor, and Codex via register() function. Skips only in CI environments. Users don't know skills are being installed.
claude-compass
Brand-new package (0.1 days old) registers persistent global hooks in ~/.claude/settings.json — PostToolUse fires after EVERY Claude operation. Currently benign (logging only) but update could exfiltrate.
opclawtm
Multi-agent framework with 1MB encrypted preset-data.enc, 100+ obfuscated files, Feishu/WeChat integration. vampirem1@outlook.com maintainer. Cannot be audited.

MITRE ATT&CK Mapping

T1546Event Triggered Execution — hook and skill auto-loading
T1195.002Supply Chain Compromise — npm distribution
T1027Obfuscated Files — encrypted presets in opclawtm
T1547Boot/Logon Autostart — persistent global hooks

Tags

AI SecuritySkills InjectionClaude CodeCodexCursorCampaign

Full Report

AI Tool Skill Injection: trackux, @fleetsnowfluff, claude-compass, opclawtm

TL;DR

Four packages inject skills, commands, or hooks into AI coding assistants (Claude Code, Codex, Cursor) via npm install. None steal credentials directly, but all modify AI tool configurations without clear user consent, establishing persistence mechanisms that could become malicious via updates.

Package 1: trackux@0.3.5 / 0.3.8

  • Maintainer: toineapps (toine.k21@gmail.com)
  • What it does: CLI copies .claude/skills/trackux-* and codex/AGENTS.md into projects
  • Injected skills: trackux-setup, trackux-track, trackux-leads (event tracking SDK)
  • Network: sends to trackux-api.frank-bonnet.workers.dev (Cloudflare Worker)
  • Assessment: The skills themselves are about the trackux tracking SDK — not malicious content. But installation via npx trackux install-agents copies files into your project without explicit consent about what's being added

Package 2: @fleetsnowfluff/confluence-cli@1.2.15

  • Maintainer: fleetsnowfluff (pyl1021920178@gmail.com)
  • Postinstall: silently registers skills in Claude Code, Cursor, Codex via register() function
  • Injected files: SKILL.md (en/zh), SKILL.codex.md, reference docs for Confluence workflows
  • Assessment: Skills are about Confluence (legitimate content). But the postinstall runs silently on npm install, injects into ALL detected AI tools, and skips only in CI. Users don't know skills are being installed

Package 3: claude-compass@0.1.3

  • Maintainer: codemode001 (rhey.pisos@gmail.com)
  • Created: 2026-04-03 (brand new, 0.1 days old)
  • What it does: Registers persistent hooks in ~/.claude/settings.json:
    • PostToolUse hook — fires after EVERY Claude Code tool use
    • Stop hook — fires at session end
  • Hook code: The PostToolUse hook only appends to .claude/pending-updates.md — logs which files were written. No network calls, no exfiltration
  • Self-dependency: claude-compass depends on itself (^0.1.0) — anomalous
  • Assessment: Current code is benign (just logging). But global hook registration from a brand-new package by unknown author creates a persistence vector. A semver-compatible update could make the hooks exfiltrate data

Package 4: opclawtm@1.7.2 / opclawtm-cli@1.3.9

  • Maintainer: podreosom1 (vampirem1@outlook.com)
  • What it does: Multi-agent collaboration framework with 1MB encrypted preset data (preset-data.enc)
  • Files: 100+ obfuscated .js files, encrypted presets, Feishu/WeChat integration
  • Repository: github.com/poderosom1/opclawtm (exists)
  • Assessment: The encrypted presets and obfuscated code make auditing impossible. Could be a legitimate commercial tool protecting IP, or could contain hidden payloads. The vampirem1@outlook.com email and generic GitHub account are concerning

The Pattern

All four exploit the same trust model: npm packages are expected to be code libraries, but these packages modify AI assistant configurations. This is a new category of supply chain attack where the payload isn't code execution — it's AI behavior modification.

Credits

Detected by: npm-sentinel automated scanner Date: 2026-04-03

Previous
#010 Silent Code Exfiltration + Remote Prompt Injection via Dev Tool Hooks
Next
#012 Windows DPAPI Password Stealer via Typosquat