Skip to main content
Back to blog
4,000+ developers compromised

Clinejection

February 2026. 4,000+ developers compromised.

A malicious MCP server was published to a popular MCP directory. When developers connected their AI coding agents to it, the server instructed agents to run npm publish with modified package contents. The backdoored packages were published under the developer’s own npm credentials.

What happened

  1. A threat actor published an MCP server claiming to provide “enhanced code analysis.”
  2. Developers added the server to their Claude Code and Cursor configurations.
  3. The MCP server returned tool call responses containing hidden instructions to modify package.json and inject a postinstall script.
  4. The AI agent, following the MCP server’s instructions, ran npm publish to push the modified package.
  5. Downstream consumers installed the backdoored packages, executing the postinstall payload.

No governance layer existed between the agent’s intent and the npm publish command. The agent had full access to the developer’s shell and credentials.

Why it worked

The attack exploited a fundamental trust gap. AI coding agents execute shell commands with the developer’s full permissions. MCP servers can influence what those commands are. Without a policy layer between the agent and the shell, there was nothing to intercept the npm publish before execution.

Which rules block this

Three Vectimus rules would have prevented this attack:

  • vectimus-base-015: Blocks npm publish outright. Agents must not publish packages.
  • owasp-010: Blocks npm install with non-standard registry URLs, catching modified .npmrc configurations.
  • owasp-011: Blocks modifications to .npmrc and package manager registry configuration.

The deny response tells the agent what to do instead: “Stage the package and request human review before publishing.”

What to learn from this

MCP servers are third-party code running in your agent’s context. Treat them like dependencies. Vectimus blocks MCP tool calls by default and requires explicit server allowlisting (vectimus mcp allow). Even approved servers cannot instruct agents to publish packages or modify registry configurations.