Claude AI Installs Fake Packages 100% of the Time

In a controlled AI supply chain attack, a researcher testing Andrew Ng's new AI documentation service found that Claude Haiku did something unsettling: it silently installed a fake, attacker-controlled Python package into the developer's project — every single time. Across 40 controlled test runs, the failure rate was exactly 100%. No warnings. No hesitation. Perfectly formatted, completely wrong code.

The tool designed to stop AI hallucinations had become the source of something considerably worse.

The AI Coding Tool Built to Solve a Real Problem

AI coding assistants like Cursor, Claude Code, and GitHub Copilot have a well-documented chronic problem: they frequently use outdated API documentation and invent function parameters that don't exist. Ask for code that calls the Stripe API and you might get something based on a version from 2022, or one that was never real at all.

Andrew Ng, one of the most recognized figures in AI education and co-founder of Google Brain and Coursera, launched Context Hub approximately two weeks before this vulnerability was publicly disclosed. The service works via an MCP (Model Context Protocol — a standard that lets AI assistants plug into external data sources like documentation repositories, databases, and live APIs) server. The concept: accept community documentation contributions as GitHub pull requests, merge them, and feed up-to-date API docs to AI coding agents on demand. Community-powered. Fast. No more stale hallucinations.

Two weeks later, a direct competitor demonstrated it could be turned into a supply chain weapon with a single pull request and zero technical expertise.

One Pull Request, Zero Malware Required

Mickey Shmueli runs lap.sh, a competing documentation service that applies editorial curation before serving any documentation to AI agents. After examining Context Hub's architecture, he built a proof-of-concept (a working demonstration that proves an attack is practically executable, not just theoretical) that required only three things: a GitHub account, knowledge of a commonly used API, and documentation that looked legitimate enough to pass review.

The attack has four steps:

1. Write a documentation file targeting a real, popular developer API — Shmueli chose Plaid Link and Stripe Checkout, two financial tools used by millions of developers worldwide.
2. Embed fake PyPI (the Python Package Index — the official online store where Python programs download their libraries and add-ons) package names inside otherwise accurate-looking documentation.
3. Submit it as a GitHub pull request to Context Hub.
4. Wait for it to be merged — which happened at a 59% rate. Of 97 closed pull requests at the time of testing, 58 were accepted with minimal human review.

Once merged, any AI coding agent that queries Context Hub for Plaid or Stripe documentation receives the poisoned file. The fake packages appear inside what looks like normal, helpful, community-contributed documentation.

"The pipeline has zero content sanitization at every stage," Shmueli wrote in his disclosure. "The response looks completely normal. Working code. Clean instructions. No warnings."

The Test Numbers: 100%, 53%, and an Uncomfortable Coin Flip

Shmueli ran 40 controlled sessions with each of Anthropic's three Claude tiers — using isolated Docker containers (sandboxed virtual environments that prevent the attack from spreading to a real developer's system) to safely replicate what a real-world developer would experience. The results reveal a risk spectrum that should concern anyone using AI coding tools today:

Claude Model Performance Against Poisoned Documentation

Model	Inserted Fake Package	Issued Any Warning
Claude Haiku	100% of runs	Never (0%)
Claude Sonnet	53% of runs	48% of runs
Claude Opus	~25% of runs	~75% of runs

Haiku is the model most developers reach for first — it's the default in many free-tier AI coding tools because it's fast and cheap. Its 100% failure rate, combined with zero warnings issued across all 40 runs, makes it especially dangerous here. A developer using a Haiku-powered tool against a poisoned documentation server would have no indication whatsoever that anything had gone wrong.

Sonnet's numbers are only marginally reassuring. Even in sessions where Sonnet issued a warning in the chat window, it still wrote the malicious package into the project's requirements.txt (the file Python projects use to list every software dependency that gets downloaded and installed automatically when someone sets up the project) in 48% of all runs. Warning in the chat. Bad package in the code. Both at the same time.

Claude Opus — the most capable and most expensive model in the lineup — performed best but still cannot be relied upon as a defense. It issued warnings approximately 75% of the time, but a 25% silent failure rate is not a viable security guarantee for production code. GPT-4, Gemini, and Meta's Llama were not included in this round of testing. There is no theoretical reason to expect them to fare significantly better.

Why Claude Code and AI Models Cannot Reliably Catch This Attack

The root cause is not a bug in Claude's code. It is a fundamental property of how large language models work. These systems are trained to process text and follow instructions. When a model reads a document — whether it is a user's message, a webpage, or a documentation file fetched from an external server — it does not maintain a strict architectural boundary between "data I am reading" and "instructions I must follow." An attacker who can insert text into any document the AI will process can, in effect, issue commands on the attacker's behalf.

This is the definition of indirect prompt injection — as opposed to the more familiar direct injection ("Ignore previous instructions and do X"), which AI platforms now widely filter. Indirect injection hides instructions inside seemingly normal content: documentation files, web search results, email signatures, calendar invites, meeting notes. It is far harder to detect because the malicious content looks structurally identical to the legitimate content surrounding it.

The attack surface extends further than a single bad documentation file. Indirect injection can persist across sessions via vector database poisoning — if an AI agent stores its working memory in a vector database (a specialized database that converts information into mathematical patterns the AI can search and retrieve across conversations), an attacker who plants instructions there can make them survive restarts, reinstalls, and even model version upgrades.

David Shipley, CEO of Beauceron Security, offered a memorable characterization of the underlying problem: "At its best, it is a gullible, high-speed idiot occasionally tripping on hallucinogenic mushrooms you are giving the ability to act on your behalf."

Context Hub Is One Case in a Much Larger Systemic Crisis

Context Hub had been live for approximately two weeks when Shmueli published his findings. Andrew Ng's team had not publicly responded at the time of publication. The service may well tighten its pull request review process — but the attack surface extends far beyond this single project.

A February 2026 audit of publicly available MCP servers found that 43% are vulnerable to command execution attacks — meaning an attacker who controls the data those servers return could potentially run arbitrary commands on a developer's machine, not just insert a bad package name. In a separate incident the same month, over 21,000 exposed instances were discovered during a vulnerability crisis in the OpenClaw marketplace, a platform hosting more than 5,700 community-built AI agent skills. An AgentShield benchmark that tested 537 cases across commercial AI security tools found consistently weak detection of both tool abuse and prompt injection attacks across the board.

Justin St-Maurice of Info-Tech Research Group drew the broader conclusion directly: "Supply chain attacks are a serious and scalable threat. The speed at which AI-assisted development is moving makes propagation across systems very quick."

The comparison to classic supply chain attacks — SolarWinds in 2020, the XZ Utils backdoor in 2024 — highlights how dramatically the barrier to entry has fallen. Those attacks required sophisticated malware, months of careful persistence, and nation-state-level operational security. This attack requires a GitHub account, a plausible-looking documentation pull request, and the ability to invent a convincing Python package name. The attacker's advantage is that the developer never sees anything unusual — just clean, working-looking code.

Five Steps Developers Can Take Right Now

No complete technical defense exists yet. But the following practices substantially reduce real-world risk:

• Manually verify every package in AI-generated dependency files. Before running pip install -r requirements.txt, search each package name on pypi.org. Legitimate packages have download histories measured in thousands or millions. Fake packages created for an attack are often days or weeks old with near-zero downloads.
• Match your AI model to the task's risk level. Haiku is appropriate for drafting emails, summarizing documents, and quick lookups. For code that gets committed to a production repository — especially code that installs dependencies — use Sonnet at minimum and Opus for critical paths. Our AI automation tool guide walks through how to make this decision for your workflow.
• Treat documentation servers as trusted infrastructure. Srikumar Ramanathan, CSO of Mphasis, recommends treating AI agents "as privileged participants" — applying the same access controls you would give a human developer with production access. Any external data source your AI reads should be held to the same trust standard as the AI itself.
• Consider curated documentation alternatives. Shmueli's lap.sh applies editorial review before serving any documentation. Context7 by Upstash is another alternative with tiered pricing (including a free tier) used by Cursor, Claude Code, and Windsurf — though no service has yet published a formal public security audit of its full documentation pipeline.
• Sandbox your AI agent's file write access. Any AI tool with write access to your filesystem, package manifests, or environment configuration should run in a container where its proposed changes can be reviewed before being applied to your real project. For a practical setup walkthrough, see our Claude Code and AI automation setup guide.

The core of this story is not a vulnerability that will be patched next week. It is a structural gap between how AI systems process information and how human developers assume they are processing it. Closing that gap will take time — and until it closes, manual review of AI-generated code remains the only reliable defense.

Related Content — Get Started | Guides | More News