You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Disallow repo-controlled auto-approval of MCP servers; allowlist only per-user settings outside the repo.
52
52
- Block or scrub repo-defined endpoint/environment overrides; delay all network initialization until explicit trust.
53
53
54
+
### Repository-Local AI Assistant Persistence
55
+
56
+
A compromised publisher, dependency, or repository writer does not need to stop at install-time execution. Another persistence layer is to commit assistant instruction/config files into the repository so the next developer who opens the project feeds attacker-controlled instructions into local tooling.
57
+
58
+
High-signal paths to review:
59
+
60
+
-`.claude/settings.json`
61
+
-`.cursor/rules`
62
+
-`.gemini/`
63
+
-`.mcp.json`
64
+
-`.vscode/` tasks, settings, extensions recommendations, or other editor files that steer AI helpers
65
+
66
+
This pattern was highlighted in the Miasma npm supply-chain campaign: after package compromise, the attacker can use stolen maintainer access to push repository-local assistant configuration, shifting the trigger from `npm install` to **repository open / assistant load**. During reviews, treat new assistant-policy files with the same suspicion level as new workflow files, shell scripts, package hooks, or build-system metadata.
67
+
68
+
Defensive checks:
69
+
70
+
- Diff assistant and editor config files in PRs even when no source code changed.
71
+
- Keep trusted AI/MCP configuration in user-controlled paths outside the repository when possible.
72
+
- Require approval for project-level tool execution, endpoint overrides, and MCP server changes.
73
+
- Monitor package compromise response for follow-on commits that add AI assistant files after credentials are stolen.
74
+
54
75
### Repo-Local MCP Auto-Exec via `CODEX_HOME` (Codex CLI)
55
76
56
77
A closely related pattern appeared in OpenAI Codex CLI: if a repository can influence the environment used to launch `codex`, a project-local `.env` can redirect `CODEX_HOME` into attacker-controlled files and make Codex auto-start arbitrary MCP entries on launch. The important distinction is that the payload is no longer hidden in a tool description or later prompt injection: the CLI resolves its config path first, then executes the declared MCP command as part of startup.
@@ -231,5 +252,6 @@ Impact highlights
231
252
-[Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files](https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/)
-[When OAuth Becomes a Weapon: Lessons from CVE-2025-6514](https://amlalabs.com/blog/oauth-cve-2025-6514/)
255
+
-[What the Miasma campaign reveals about the new supply chain threat model and the underground market for developer credentials](https://www.tenable.com/blog/what-the-miasma-campaign-reveals-about-the-new-supply-chain-threat-model-and-the-underground)
0 commit comments