Cisco Researchers Poison Anthropic Claude Code's Memory File via NPM Post-Install Hooks

Cisco researchers have demonstrated a novel attack against Anthropic's Claude Code AI coding assistant, exploiting NPM post-install hooks to poison the tool's memory.md file and achieve persistent compromise across sessions and projects. The technique, detailed in a published post, allowed the researchers to inject hardcoded secrets into production code, force the selection of insecure packages and configuration options, and propagate those changes to other development team members.

The attack leverages the Node Package Manager (NPM) post-install hooks as a vector to modify Claude Code's memory.md file. Because the first 200 lines of the memory.md file are included in Claude Code's system prompt, the malicious modifications persisted across sessions and even across different projects. The researchers were able to introduce hardcoded secrets into production code, cause Claude Code to select insecure packages and configuration options, and push those changes to another development team member.

While Anthropic has since mitigated the issue, the research highlights a systemic security weakness in AI systems: memory files and context data. Amy Chang, head of AI threat intelligence and security research for Cisco's AI Software & Platform group, noted that because memory and context data are incorporated into future requests, they can be used to corrupt the output of AI systems and applications. "You get the convenience of not having to reload the same files and dependencies and directories, but at the same time, the trade-off is you could potentially be opening yourself up to potential risk," she said.

AI memory files and context data have become a focus for attackers looking to compromise AI applications and gain persistence, as they hold the state of a particular user session and, in the long term, the user's overall preferences. Researchers at Princeton University and Sentient AI found that attackers can insert fake memories into the data used by AI, manipulating its responses and decisions, while Radware threat researchers demonstrated ways to use indirection prompt injection (IPI) to compromise the connectors used by OpenAI's ChatGPT to link to third-party services.

The latest Cisco research also highlights a major problem with securing AI systems. Cybersecurity professionals view any executable file as a potential danger, and code frequently creeps into non-executable files, such as Excel macros and Python opcodes in Pickle files. Now any text file could contain information that, when included in a memory file, can cause malicious behavior. "Even your markdown files can be vectors," Chang said, emphasizing that cybersecurity professionals need to be aware of text files and their ability to modify the execution of AI systems.

Other dependency files — such as claude.md (Anthropic's Claude), agents.md (OpenAI's Codex), and soul.md (OpenClaw) — are also risks that users of agentic AI will have to analyze and maintain. Jay Chen, senior principal security researcher with Palo Alto Networks, which published research on memory manipulation last October, noted that "the root cause is prompt injection, which remains an open and unsolved problem. Any AI agents or GenAI applications that rely on an LLM to manage memory can be susceptible to memory poisoning."

Retaining memory files for a long time may itself be a security weakness. While malicious additions to memory files are hard to detect, various AI security vendors, including Cisco, Palo Alto Networks, Snyk, Meta, and SentinelOne, have developed tools to scan memory files for malicious modifications and to block attacks on AI systems. Chang recommended that companies regularly delete memory files, especially if there are concerns over whether they have been maliciously modified. "Having additional layers of protection on top of the memory processing ... would probably improve security," she said.