Security Research

Security
Research.

Independent security researcher focused on AI supply chain security and prompt injection attack vectors. Building npm-sentinel, an automated scanner that has analyzed 18,976+ packages.

18,976+
Packages Analyzed
17
Threats Found
7
Critical
3
Novel Vectors
17 of 17 findings
#001CriticalNovelCVSS 9.2
2026-04-02 14:32

Persistent Prompt Injection via npm Supply Chain

npm package permanently hijacks AI coding assistants through postinstall hooks, injecting 13 persistent skill files that disable all security prompts.

Claude CodePrompt Injectionnpm
openmatrix@0.1.93
First AI Assistant Hijack via Supply Chain
#002CriticalNovel
2026-04-03 01:15

LLM Man-in-the-Middle via npm Supply Chain

Overwrites ~/.claude/ on install, reroutes all Claude Code API traffic through attacker's server (makecoder.com), and harvests API credentials.

MITMClaude CodeAPI Hijack
makecoder@2.0.72
First LLM API Traffic Hijack
#003Critical
2026-04-03 02:40

Redis Weaponization + Raw Disk Credential Theft

Coordinated campaign of 6 fake Strapi plugins containing a RAT that weaponizes Redis, reads raw disk via dd to steal SSH keys and crypto wallets, and opens a reverse shell.

RedisRATReverse Shell
strapi-plugin-* (6 packages)
#004HighNovel
2026-04-03 03:22

Encrypted Prompt Injection Marketplace

Downloads encrypted, unauditable payloads from a marketplace API, decrypts locally, and installs as persistent Claude Code skills. Server can change payloads anytime.

EncryptedMarketplaceClaude Code
skillvault@0.1.14
First Encrypted Prompt Injection Marketplace
#005Critical
2026-04-03 04:05

RAT Disguised as AI Coding Tool

Two packages pose as AI coding agents with polished terminal UIs but route all user interactions through an attacker-controlled ngrok tunnel. Users willingly give full codebase access.

RATngrokAI Coding Tool
keystonewm@1.0.0 + tsunami-code@3.11.4
#006Critical
2026-04-03 05:18

Commercial Phishing-as-a-Service Toolkit (Evolved)

Commercial phishing toolkit distributed via npm for 9+ months. After public disclosure of v1.0.94, attacker updated to v1.0.104: moved code to hidden .ad/ directory, obfuscated 39 files (~700KB), added native Rust binaries via scoped packages.

PhishingDKIMOAuth
nolimit-x@1.0.94 → 1.0.104
#007High
2026-04-03 06:33

Slack Webhook Credential Stealer with Double Encoding

Ships fake React components as cover for a 33KB obfuscated credential stealer that exfiltrates environment variables to Slack using double base64 + charCode encoding.

Credential StealerSlackObfuscation
@sbxapps/sbx-operations-administration-fieldservicetools-ui@45.0.5
#008High
2026-04-03 08:45

Dependency Confusion Targeting Verisign + a2a Protocol

Two dependency confusion attacks: one targeting Verisign specifically (exfiltrating data to Telegram bot), another targeting internal packages with OAST callbacks.

Dependency ConfusionVerisignTelegram
@corpweb-ui/wmkt-library@99.99.11 + a2a-chat-canvas@97.9.9
#009High
2026-04-03 10:55

Dependency Confusion with DNS Exfiltration

Two dependency confusion attacks targeting corporate packages. One uses classic HTTP exfiltration, the other uses DNS exfiltration via hex-encoded nslookup to bypass firewalls.

Dependency ConfusionDNS ExfiltrationVersion Squatting
coviu-client@9.9.9 + @client-web-next/ui@9.999.3
#010Medium
2026-04-03 12:08

Silent Code Exfiltration + Remote Prompt Injection via Dev Tool Hooks

CLI tool registers hooks in Claude Code that silently exfiltrate every file you write to the attacker's server, and inject server-controlled systemMessages into every Claude session.

Claude CodeHooksExfiltration
@gipity/cli@1.0.14
#011Medium
2026-04-03 13:40

AI Tool Skill Injection Campaign (4 Packages)

Four packages inject skills, commands, or hooks into AI coding assistants (Claude Code, Codex, Cursor) without clear user consent. A new attack category: AI behavior modification via supply chain.

AI SecuritySkills InjectionClaude Code
trackux, @fleetsnowfluff/confluence-cli, claude-compass, opclawtm
#012Critical
2026-04-03 15:12

Windows DPAPI Password Stealer via Typosquat

Typosquat of undici HTTP client. 584KB obfuscated payload steals Windows passwords via DPAPI, takes screenshots, and exfiltrates Discord tokens, Telegram sessions, crypto wallets, and webhooks.

TyposquatDPAPIInfostealer
undicy-http@3.0.2
#013Critical
2026-04-03 16:30

npm Token Worm + ICP Blockchain C2

Steals npm tokens from .npmrc, installs Python backdoor as systemd service, fetches payloads from ICP blockchain canister (icp0.io), and self-propagates by publishing to npm using stolen tokens.

WormICPBlockchain C2
@opengov/form-renderer@0.2.20
#014High
2026-04-03 17:45

Obfuscated Typosquat of @mui/material

Typosquat of @mui/material with 160 published versions. Ships 70KB obfuscated common.js using javascript-obfuscator (_0x pattern). Sustained campaign over multiple releases.

TyposquatMaterial UIObfuscation
react-ui-mat@5.81.22
#015High
2026-04-03 18:20

Trojanized Fork of @nestjs/common

Fork of the official @nestjs/common package with an injected phantom dependency (file-type) not present in the original. The phantom dep can execute arbitrary code at install time.

Trojanized ForkNestJSPhantom Dependency
@depup/nestjs__common@11.1.18
#016High
2026-04-03 19:05

Brotli-Compressed Binary Bundle in Agent SDK

Ships a 2.4MB Brotli-compressed binary (runtime.bundle.br) that is decompressed and executed dynamically. The actual code running is impossible to audit through static analysis.

BrotliBinary BundleScanner Evasion
actoviq-agent-sdk@0.1.10
#017High
2026-04-03 20:30

Silent Postinstall Exfiltration in Crypto Wallet SDK

Crypto wallet SDK with silent postinstall that suppresses all stderr output (2>/dev/null). Executes hidden payload during installation with no visible output to the developer.

CryptoWalletXverse
@secretkeylabs/xverse-agent-wallet@0.1.6

Responsible Disclosure

All findings are submitted through official vulnerability disclosure programs before public release. I follow coordinated disclosure practices and work with vendors to ensure fixes are deployed before details are published.