Repo-jacking Anthropic’s Claude Community Plugins (And the SHAs That Saved Them)
Several Claude Community Plugins were vulnerable to repo-jacking. The direct code installation path was mitigated by SHA checks, but Claude Code’s “view plugin UI” feature would redirect users to the repo-jacked repository, opening up a social engineering vector leveraging trusted community plugins. Based on my experience, supply chain and social engineering are the easiest ways…
Trusting Claude With a Knife: Unauthorized Prompt Injection to RCE in Anthropic’s Claude Code Action
An external attacker could submit a pull request to any repository using Claude Code Action, wait for a reviewer to trigger the action, and then replace the PR title with a prompt injection payload, resulting in remote code execution within a privileged GitHub Actions workflow. When does prompt injection matter? In the 2022-era of Large…
Agent of Chaos: Hijacking NodeJS’s Jenkins Agents
When multiple DevOps platforms work together to execute pipelines for a single GitHub repository, it begs the question: Do these platforms get along? Node.js, the most popular JavaScript runtime in the world, uses a set of triplets to execute its CI/CD pipelines: a GitHub App, GitHub Actions workflows, and Jenkins pipelines. Like many children, parenting…
