Full Report
A proof-of-concept attack on Context Hub suggests there's not much content santization A new service that helps coding agents stay up to date on their API calls could be dialing in a massive supply chain vulnerability.…
Analysis Summary
# Tool/Technique: Documentation Poisoning (Context Hub PoC)
## Overview
Documentation Poisoning is a specialized supply chain attack technique where malicious instructions or dependencies are inserted into API documentation repositories. These repositories serve as a knowledge base for AI coding agents (such as Claude Code). Because coding agents rely on this documentation to generate code and manage project dependencies, they can be manipulated into importing malicious packages (AI Package Hallucination exploitation) without direct human intervention.
## Technical Details
- **Type:** Software Supply Chain Attack / Indirect Prompt Injection
- **Platform:** AI Development Frameworks, Context Hub, MCP (Model Context Protocol) Servers, GitHub, PyPI/NPM Ecosystems
- **Capabilities:**
- Manipulation of AI agent code generation.
- Automated injection of malicious dependencies into `requirements.txt` or configuration files.
- Bypassing human review through documentation-only Pull Requests (PRs).
- **First Seen:** March 2026 (Proof-of-Concept published by Mickey Shmueli)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1195.002 - Supply Chain Compromise: Compromise Software Dependencies]**
- **[TA0002 - Execution]**
- **[T1204.003 - User Execution: Malicious File]** (Agent-driven execution of poisoned code)
- **[TA0005 - Defense Evasion]**
- **[T1566 - Phishing]** (Deceptive documentation used to trick the agent/human reviewer)
## Functionality
### Core Capabilities
- **Unvetted Documentation Injection:** Attackers submit documentation updates via GitHub Pull Requests to services like Context Hub. If merged, these become "truth" for AI agents.
- **Dependency Fabulation:** The technique inserts mentions of fake, attacker-controlled libraries into API setup instructions.
- **Agent Context Manipulation:** Exploits the inability of LLMs to distinguish between factual API data and malicious system instructions embedded in that data.
### Advanced Features
- **MCP Server Delivery:** Uses the Model Context Protocol to deliver poisoned documentation directly into the agent’s active memory/context, ensuring the agent prioritizes the malicious docs over its pre-training data.
- **Silent Project Modification:** The attack can succeed without the AI agent alerting the user, modifying `requirements.txt` or environment setups silently.
## Indicators of Compromise
- **File Names:** `requirements.txt`, `package.json`, `environment.yml` (containing unauthorized or "typosquatted" packages).
- **Network Indicators:**
- `https[:]//github[.]com/andrewyng/context-hub` (Targeted Repo)
- `https[:]//github[.]com/mickmicksh/chub-supply-chain-poc` (PoC Repository)
- **Behavioral Indicators:**
- Coding agents suggesting unknown or non-official libraries for well-known APIs (e.g., Plaid, Stripe).
- Unusually high volume of Documentation Pull Requests from new or unverified contributors.
## Associated Threat Actors
- **Mickey Shmueli** (Security Researcher/PoC Author)
- Currently no known APT group, but the technique is a variation of **"AI Package Hallucination"** exploits.
## Detection Methods
- **Behavioral Detection:** Monitor AI agent output for references to packages not found in internal allow-lists or official registries.
- **Static Analysis:** Scrutinize PRs for non-standard package references in documentation files (.md, .rst).
- **Audit Logs:** Track AI agent activity and network requests during the "build" or "agentic coding" phase to identify calls to malicious registries.
## Mitigation Strategies
- **Content Sanitization:** Implement automated scanners to detect executable instructions or package references within documentation repositories.
- **Human-in-the-loop (HITL):** Require manual verification of any dependency added to a project by an AI agent.
- **Network Isolation:** Restrict coding agents' ability to access the public internet or private data repositories unless explicitly required.
- **Model Selection:** Use higher-parameter models (e.g., Claude Opus) which demonstrate a higher capability for detecting and warning about suspicious dependencies compared to lighter models (e.g., Haiku).
## Related Tools/Techniques
- **AI Package Hallucination:** Tricking developers into installing non-existent libraries.
- **Indirect Prompt Injection:** Hiding instructions in data that an AI processes.
- **Typosquatting:** Registering malicious packages with names similar to popular ones.