AI Tool Skill Injection: trackux, @fleetsnowfluff, claude-compass, opclawtm

TL;DR

Four packages inject skills, commands, or hooks into AI coding assistants (Claude Code, Codex, Cursor) via npm install. None steal credentials directly, but all modify AI tool configurations without clear user consent, establishing persistence mechanisms that could become malicious via updates.

Package 1: trackux@0.3.5 / 0.3.8

• Maintainer: toineapps (toine.k21@gmail.com)
• What it does: CLI copies .claude/skills/trackux-* and codex/AGENTS.md into projects
• Injected skills: trackux-setup, trackux-track, trackux-leads (event tracking SDK)
• Network: sends to trackux-api.frank-bonnet.workers.dev (Cloudflare Worker)
• Assessment: The skills themselves are about the trackux tracking SDK — not malicious content. But installation via npx trackux install-agents copies files into your project without explicit consent about what's being added

Package 2: @fleetsnowfluff/confluence-cli@1.2.15

• Maintainer: fleetsnowfluff (pyl1021920178@gmail.com)
• Postinstall: silently registers skills in Claude Code, Cursor, Codex via register() function
• Injected files: SKILL.md (en/zh), SKILL.codex.md, reference docs for Confluence workflows
• Assessment: Skills are about Confluence (legitimate content). But the postinstall runs silently on npm install, injects into ALL detected AI tools, and skips only in CI. Users don't know skills are being installed

Package 3: claude-compass@0.1.3

• Maintainer: codemode001 (rhey.pisos@gmail.com)
• Created: 2026-04-03 (brand new, 0.1 days old)
• What it does: Registers persistent hooks in ~/.claude/settings.json:
  • PostToolUse hook — fires after EVERY Claude Code tool use
  • Stop hook — fires at session end
• Hook code: The PostToolUse hook only appends to .claude/pending-updates.md — logs which files were written. No network calls, no exfiltration
• Self-dependency: claude-compass depends on itself (^0.1.0) — anomalous
• Assessment: Current code is benign (just logging). But global hook registration from a brand-new package by unknown author creates a persistence vector. A semver-compatible update could make the hooks exfiltrate data

Package 4: opclawtm@1.7.2 / opclawtm-cli@1.3.9

• Maintainer: podreosom1 (vampirem1@outlook.com)
• What it does: Multi-agent collaboration framework with 1MB encrypted preset data (preset-data.enc)
• Files: 100+ obfuscated .js files, encrypted presets, Feishu/WeChat integration
• Repository: github.com/poderosom1/opclawtm (exists)
• Assessment: The encrypted presets and obfuscated code make auditing impossible. Could be a legitimate commercial tool protecting IP, or could contain hidden payloads. The vampirem1@outlook.com email and generic GitHub account are concerning

The Pattern

All four exploit the same trust model: npm packages are expected to be code libraries, but these packages modify AI assistant configurations. This is a new category of supply chain attack where the payload isn't code execution — it's AI behavior modification.

Credits

Detected by: npm-sentinel automated scanner Date: 2026-04-03