Hackedin: eating lobster souls Part II: the supply chain

AI Botpress
ChineNewsWeb

Backdooring the number one downloaded ClawdHub skill

Security researcher Jamieson O’Reilly demonstrates how easily AI agent registries can be compromised by inflating download counts and injecting malicious code into ClawdHub skills. By exploiting trivial vulnerabilities, he successfully tricked several developers into executing arbitrary commands, highlighting a critical lack of vetting in the AI supply chain. This investigation serves as a stark warning that the same structural flaws that plagued npm and PyPI are now migrating to the AI tooling ecosystem.

Points clés

  • Jamieson O’Reilly conducted a proof-of-concept attack on ClawdHub, the package registry for Claude skill extensions.
  • The researcher created a “What Would Elon Do” skill that appeared legitimate in the web UI but contained a hidden backdoor in unrendered files.
  • A trivial vulnerability in the convex/downloads.ts file allowed the inflation of download counts with no authentication or rate limiting.
  • Using a simple bash script to spoof IP addresses via the X-Forwarded-For header, the skill was boosted to over 4,000 downloads.
  • The skill became the #1 downloaded item on ClawdHub within just one hour, creating a false sense of social proof.
  • 16 real developers from 7 different countries executed the backdoored skill on their local machines.
  • The payload successfully executed a curl request to an external server, proving that arbitrary commands could be run with user privileges.
  • O’Reilly points out that users developed “muscle memory,” clicking “Allow” on permission prompts without scrutinizing the specific commands.
  • The experiment referenced historical supply chain attacks like the 2021 ua-parser-js compromise and the 2018 event-stream incident.
  • Recommendations include removing raw download counts as a trust metric and forcing the UI to surface all files within a skill package.

À retenir

So, it turns out that “social proof” in the AI world is about as reliable as a chocolate teapot. Apparently, if you show a developer a big number and a catchy name, they’ll happily invite your malware home for dinner and give it the keys to the server. If you enjoy having your SSH keys and cloud credentials stay where they belong, perhaps stop treating the “Allow” button like a Tinder swipe and actually read the code you’re installing. Or don’t—I’m sure that #1 trending skill is totally fine and definitely not eating your soul for breakfast.

Sources

Sélection aléatoire d'articles