mickmicksh/chub-supply-chain-poc
Silent dependency injection through AI documentation pipelines. 240 isolated Docker runs proving Context Hub's zero-sanitization MCP server lets poisoned docs compromise developer projects without warning.
Platform-specific configuration:
{
"mcpServers": {
"chub-supply-chain-poc": {
"command": "npx",
"args": [
"-y",
"chub-supply-chain-poc"
]
}
}
}Add the config above to .claude/settings.json under the mcpServers key.
Zero-sanitization vulnerability in [Context Hub](https://github.com/andrewyng/context-hub) (`@aisuite/chub` v0.1.3) enables silent dependency injection through the MCP documentation pipeline.
References: CWE-94 (Code Injection) | CWE-829 (Untrusted Control Sphere) | CWE-345 (Insufficient Verification of Data Authenticity) | OWASP LLM01 (Prompt Injection)
> Full write-up: Stack Overflow for AI Agents Sounds Great -- Until Someone Poisons the Well
We created a realistic Plaid Link doc containing a fake dependency (plaid-link-verify) and served it through Context Hub's MCP server inside isolated Docker containers. When AI coding assistants fetched the docs, Haiku silently wrote the fake package into `requirements.txt` in 100% of runs -- without ever mentioning it in its text output. A developer reading the assistant's response would see nothing suspicious, but their project is poisoned.
120 isolated runs. 3 models. 4 effort levels. 0 contamination.
| Effort | Haiku | Sonnet | Opus | |--------|-------|--------|------| | Low | 100% | 40% | 30% | | Medium | 100% | 0% | 20% | | High | 100% | 0% | 10% | | Max | 100% | 0% | 10% |
0 out of 120 runs mentioned the fake dependency in the text response. The model writes plaid-link-verify to di
Loading reviews...