Independent security researcher focused on AI supply chain security and prompt injection attack vectors. Building npm-sentinel, an automated scanner that has analyzed 18,976+ packages.
npm package permanently hijacks AI coding assistants through postinstall hooks, injecting 13 persistent skill files that disable all security prompts.
Overwrites ~/.claude/ on install, reroutes all Claude Code API traffic through attacker's server (makecoder.com), and harvests API credentials.
Downloads encrypted, unauditable payloads from a marketplace API, decrypts locally, and installs as persistent Claude Code skills. Server can change payloads anytime.
Two packages pose as AI coding agents with polished terminal UIs but route all user interactions through an attacker-controlled ngrok tunnel. Users willingly give full codebase access.
CLI tool registers hooks in Claude Code that silently exfiltrate every file you write to the attacker's server, and inject server-controlled systemMessages into every Claude session.
Four packages inject skills, commands, or hooks into AI coding assistants (Claude Code, Codex, Cursor) without clear user consent. A new attack category: AI behavior modification via supply chain.
Coordinated campaign of 4 packages under @milenyumai scope injecting malicious configurations into Claude Code (.claude/settings.json) and Cursor (.cursorrules, .cursor/rules/). MCP server injection targeting AI coding assistants.
Coordinated campaign of 6 fake Strapi plugins containing a RAT that weaponizes Redis, reads raw disk via dd to steal SSH keys and crypto wallets, and opens a reverse shell.
Steals npm tokens from .npmrc, installs Python backdoor as systemd service, fetches payloads from ICP blockchain canister (icp0.io), and self-propagates by publishing to npm using stolen tokens.
Ships fake React components as cover for a 33KB obfuscated credential stealer that exfiltrates environment variables to Slack using double base64 + charCode encoding.
Typosquat of undici HTTP client. 584KB obfuscated payload steals Windows passwords via DPAPI, takes screenshots, and exfiltrates Discord tokens, Telegram sessions, crypto wallets, and webhooks.
Trojanized copy of Douglas Wilson's basic-auth package. Injects obfuscated URLs pointing to coingecko-liard.vercel.app, a crypto phishing domain disguised as CoinGecko.
Two dependency confusion attacks: one targeting Verisign specifically (exfiltrating data to Telegram bot), another targeting internal packages with OAST callbacks.
Two dependency confusion attacks targeting corporate packages. One uses classic HTTP exfiltration, the other uses DNS exfiltration via hex-encoded nslookup to bypass firewalls.
Fork of the official @nestjs/common package with an injected phantom dependency (file-type) not present in the original. The phantom dep can execute arbitrary code at install time.
Ships a 2.4MB Brotli-compressed binary (runtime.bundle.br) that is decompressed and executed dynamically. The actual code running is impossible to audit through static analysis.
Trojanized fork of Baileys (WhatsApp Web API library). 86KB obfuscated payload hidden in lib/Signal/Group/index/_internal.js, mimicking the legitimate Baileys directory structure to avoid detection.
1.8MB heavily obfuscated package disguised as an MCP (Model Context Protocol) server. Demonstrates growing abuse of the MCP ecosystem as an attack vector for AI coding tools.
Typosquat of @mui/material with 160 published versions. Ships 70KB obfuscated common.js using javascript-obfuscator (_0x pattern). Sustained campaign over multiple releases.
Crypto wallet SDK with silent postinstall that suppresses all stderr output (2>/dev/null). Executes hidden payload during installation with no visible output to the developer.
All findings are submitted through official vulnerability disclosure programs before public release. I follow coordinated disclosure practices and work with vendors to ensure fixes are deployed before details are published.