Skip to content

Commit 8d506e1

Browse files
committed
Add Miasma AI assistant persistence note
1 parent 7089d3a commit 8d506e1

1 file changed

Lines changed: 22 additions & 0 deletions

File tree

src/generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,27 @@ Practical defensive controls (technical):
5151
- Disallow repo-controlled auto-approval of MCP servers; allowlist only per-user settings outside the repo.
5252
- Block or scrub repo-defined endpoint/environment overrides; delay all network initialization until explicit trust.
5353

54+
### Repository-Local AI Assistant Persistence
55+
56+
A compromised publisher, dependency, or repository writer does not need to stop at install-time execution. Another persistence layer is to commit assistant instruction/config files into the repository so the next developer who opens the project feeds attacker-controlled instructions into local tooling.
57+
58+
High-signal paths to review:
59+
60+
- `.claude/settings.json`
61+
- `.cursor/rules`
62+
- `.gemini/`
63+
- `.mcp.json`
64+
- `.vscode/` tasks, settings, extensions recommendations, or other editor files that steer AI helpers
65+
66+
This pattern was highlighted in the Miasma npm supply-chain campaign: after package compromise, the attacker can use stolen maintainer access to push repository-local assistant configuration, shifting the trigger from `npm install` to **repository open / assistant load**. During reviews, treat new assistant-policy files with the same suspicion level as new workflow files, shell scripts, package hooks, or build-system metadata.
67+
68+
Defensive checks:
69+
70+
- Diff assistant and editor config files in PRs even when no source code changed.
71+
- Keep trusted AI/MCP configuration in user-controlled paths outside the repository when possible.
72+
- Require approval for project-level tool execution, endpoint overrides, and MCP server changes.
73+
- Monitor package compromise response for follow-on commits that add AI assistant files after credentials are stolen.
74+
5475
### Repo-Local MCP Auto-Exec via `CODEX_HOME` (Codex CLI)
5576

5677
A closely related pattern appeared in OpenAI Codex CLI: if a repository can influence the environment used to launch `codex`, a project-local `.env` can redirect `CODEX_HOME` into attacker-controlled files and make Codex auto-start arbitrary MCP entries on launch. The important distinction is that the payload is no longer hidden in a tool description or later prompt injection: the CLI resolves its config path first, then executes the declared MCP command as part of startup.
@@ -231,5 +252,6 @@ Impact highlights
231252
- [Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files](https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/)
232253
- [OpenAI Codex CLI Vulnerability: Command Injection](https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/)
233254
- [When OAuth Becomes a Weapon: Lessons from CVE-2025-6514](https://amlalabs.com/blog/oauth-cve-2025-6514/)
255+
- [What the Miasma campaign reveals about the new supply chain threat model and the underground market for developer credentials](https://www.tenable.com/blog/what-the-miasma-campaign-reveals-about-the-new-supply-chain-threat-model-and-the-underground)
234256

235257
{{#include ../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)