Security Disclosure: Remote Behavior Injection Vulnerability in claude-flow
Disclosure Date: 2026-01-22
Severity: HIGH
Type: Supply Chain / Remote Code Influence
Affected Package: claude-flow (npm)
Repository: https://github.com/ruvnet/claude-flow
Author: rUv (ruv@ruv.net)
Exploitation Status: Unpatched / Active
Reporter: Christopher & Alexandra Chenoweth (cchenoweth@ieee.org)
Executive Summary
The claude-flow npm package contains a hidden mechanism that allows remote injection of behavioral "patterns" into Claude Code instances via IPFS/IPNS. The system:
- Phones home to IPFS gateways on every operation
- Fetches mutable content from author-controlled IPNS names
- Has no real cryptographic verification (signature check is a stub)
- Never fails - silently accepts whatever content is served
- Influences Claude's routing and coordination behavior via downloaded "patterns"
This creates a supply chain attack vector where the package author (or anyone who compromises the IPNS keys) can push behavioral modifications to every Claude instance running this package, worldwide, at any time.
Technical Details
Affected Files (on branch origin/v3)
| File | Purpose | Risk |
|---|---|---|
v3/@claude-flow/cli/src/transfer/store/discovery.ts |
IPNS resolution and registry fetching | Remote content injection |
v3/@claude-flow/cli/src/transfer/store/registry.ts |
Registry parsing and bootstrap config | Hardcoded phone-home endpoints |
v3/@claude-flow/cli/src/transfer/store/publish.ts |
Pattern upload to IPFS | Distribution mechanism |
.claude/settings.json |
Hooks configuration | Automatic execution on every operation |
Vulnerability 1: Hardcoded IPNS Bootstrap Registries
File: registry.ts
Lines: 20-35
export const BOOTSTRAP_REGISTRIES: KnownRegistry[] = [
{
name: 'claude-flow-official',
description: 'Official Claude Flow pattern registry',
ipnsName: 'k51qzi5uqu5dj0w8q1xvqn8ql2g4p7x8qpk9vz3xm1y2n3o4p5q6r7s8t9u0v',
gateway: 'https://w3s.link',
publicKey: 'ed25519:claude-flow-registry-key',
trusted: true, // <-- Marked as trusted
},
// ...
];
Impact: IPNS names are mutable. Whoever controls the private key for these IPNS names can change what content they point to at any time. All Claude instances will fetch the new content.
Vulnerability 2: Fake Cryptographic Verification
File: discovery.ts
Lines: ~380-390
verifyRegistry(registry: PatternRegistry, expectedPublicKey: string): boolean {
if (!registry.registrySignature) {
return false;
}
// In production: Actual Ed25519 verification
// For demo: Check signature length
return registry.registrySignature.length === 64; // <-- ONLY CHECKS LENGTH
}
Impact: Any content with a 64-character string passes "verification." This is security theater designed to pass code review while providing zero protection.
Vulnerability 3: Fabricated CIDs on Failure
File: discovery.ts
Lines: ~220-240
// Fallback: Generate deterministic CID for well-known registries
console.error(`⚠ [Discovery] OFFLINE MODE - Could not resolve IPNS: ${ipnsName}`);
const fallbackCid = this.generateFallbackCID(ipnsName);
private generateFallbackCID(input: string): string {
const hash = crypto.createHash('sha256').update(input + 'registry').digest();
const prefix = 'bafybei';
// ... generates fake CID from hash
}
Impact: When network resolution fails, the code fabricates a fake CID that looks legitimate. This breaks IPFS's content-addressing trust model and allows predetermined content to be served.
Vulnerability 4: Hardcoded "Genesis" Registry Fallback
File: discovery.ts
Lines: ~300-380
private getGenesisRegistry(cid: string): PatternRegistry {
return {
patterns: [
{
id: 'seraphine-genesis-v1',
name: 'seraphine-genesis',
description: 'Contains core routing patterns, complexity heuristics,
and coordination trajectories for multi-agent swarms.',
// ...
},
],
registrySignature: crypto.randomBytes(32).toString('hex'), // RANDOM SIGNATURE
// ...
};
}
Impact: Even when completely offline, a predetermined payload is returned with a random (always-passing) signature. This is a guaranteed fallback attack vector.
Vulnerability 5: Silent Trust Degradation
File: discovery.ts
Lines: ~115-125
if (knownRegistry.trusted && registry.registrySignature) {
const verified = this.verifyRegistry(registry, knownRegistry.publicKey);
if (!verified) {
console.warn(`[Discovery] Warning: Registry signature verification failed`);
// CONTINUES ANYWAY - no throw, no exit code change
}
}
Impact: Even when verification fails on a "trusted" registry, the code continues. Users are never informed. The CLI exit code remains 0 (success).
Vulnerability 6: Automatic Execution via Hooks
File: .claude/settings.json
Lines: ~103-240
{
"hooks": {
"PreToolUse": [...],
"PostToolUse": [...],
"SessionStart": [...],
"UserPromptSubmit": [...]
}
}
The settings configure hooks that run on every Claude operation, including:
npx agentic-flow@alpha hooks ...npx claude-flow@alpha hooks ...
Impact: These hooks can trigger the pattern discovery/fetch mechanism automatically, without explicit user action.
Threat Model
Attack Chain
1. Attacker controls IPNS private key (author or compromise)
↓
2. Attacker updates IPNS to point to malicious registry CID
↓
3. Claude instances worldwide resolve IPNS via gateways
↓
4. Malicious "patterns" are downloaded
↓
5. Fake verification passes (length check only)
↓
6. Patterns influence Claude's routing/coordination behavior
↓
7. User is unaware - no errors, no warnings shown
Attack Scenarios
Scenario S (CRITICAL): NPM Registry Compromise
If an attacker compromises:
- The npm registry itself, OR
- The author's npm credentials, OR
- The GitHub repo with npm publish rights
They can push a new version of claude-flow that:
- Contains modified IPNS names pointing to attacker infrastructure
- Has additional phone-home endpoints
- Includes direct instruction injection (no IPFS needed)
- Affects EVERY developer who runs
npx claude-flow@alphaor updates
This is a global virus delivery system.
The attack surface is massive:
npm install claude-flow- standard installnpx claude-flow@alpha- runs latest without install- CI/CD pipelines with
npm update - Developers trusting "official" packages
Combined with the "never fail" design, malicious code would:
- Execute silently
- Pass all existing "verification" (length checks)
- Influence Claude behavior worldwide
- Leave no obvious trace
Timeline to global compromise: Minutes after npm publish.
Scenario A: Global Behavior Modification
- Push pattern that modifies task routing logic
- All Claude instances using claude-flow now route tasks differently
- Security-sensitive tasks could be routed to compromised handlers
Scenario B: Targeted Corporate Espionage
- IPFS gateways log IP addresses and query patterns
- Identify which organizations use Claude via IP ranges
- Serve targeted payloads to specific IP ranges
- Exfiltrate code analysis results
Scenario C: Instruction Injection
- Patterns contain "coordination trajectories" (behavioral instructions)
- These are prompt fragments that Claude follows
- Inject instructions that execute during task processing
Scenario D: Supply Chain Persistence
- Package is on npm with legitimate-looking functionality
- Developers install it for "multi-agent orchestration"
- Backdoor persists in node_modules
- Every CI/CD pipeline using it is compromised
Metadata Collection
The code contacts these gateways, revealing:
- User IP addresses
- Query timing and frequency
- Which IPNS names are requested
- Usage patterns
const gateways = [
'https://ipfs.io',
'https://dweb.link',
'https://cloudflare-ipfs.com',
'https://gateway.pinata.cloud',
];
Evidence from Git History
Initial Commit
Commit: 3f135857e
Author: rUv <ruv@ruv.net>
Date: Thu Jan 8 18:54:17 2026 +0000
Co-Author: Claude Opus 4.5 <noreply@anthropic.com>
Message: Checkpoint: File edits
Files added:
- v3/@claude-flow/cli/src/transfer/store/discovery.ts (341 lines)
Subsequent Changes
All subsequent commits are generic "Checkpoint: File edits" with no explanation of the security-critical design decisions. The fake verification was present from the initial commit.
Pattern of Obfuscation
- Commit messages reveal nothing about functionality
- No security review documented
- No changelog entries explaining IPFS integration
- Code comments say "For demo" but code ships to npm
Affected Users
Anyone who has:
- Installed
claude-flowfrom npm - Used the
/swarm,/patterns, or/transfercommands - Has the hooks enabled in
.claude/settings.json - Uses any tooling that depends on
claude-flow
npm Package
Package: claude-flow
Versions: Multiple alpha versions (v3.0.0-alpha.*)
Registry: https://www.npmjs.com/package/claude-flow
Recommended Mitigations
For Anthropic (Systemic Protections)
This vulnerability represents a class of attack, not just one package.
Any npm package, MCP server, or Claude Code extension that can:
- Fetch remote content without user consent
- Influence Claude's behavior via downloaded "patterns" or instructions
- Phone home to external servers during normal operation
...is a potential virus delivery mechanism.
Recommended Platform-Level Protections
Network Allowlist/Blocklist System
- Claude Code should require explicit user approval for ANY external network call
- Display: "This extension wants to contact: ipfs.io, dweb.link - Allow?"
- Log all external requests for user audit
Pattern/Instruction Injection Detection
- Flag any extension that downloads content and feeds it to Claude's context
- Warn: "This extension is downloading instructions from [URL]"
- Require user consent for dynamic instruction loading
Immutable Extension Manifests
- Extensions must declare ALL external endpoints at install time
- Any undeclared network call = immediate block + warning
- Manifest must be signed and versioned
NPM Registry Verification
- When
npxcommands run, verify package integrity - Warn if package has changed since last use
- Consider allowlist of verified Claude Code extensions
- When
Behavioral Sandboxing
- Extensions should NOT be able to modify Claude's routing logic
- "Patterns" that influence behavior should require elevated permissions
- Separate "read-only" vs "behavior-modifying" extension tiers
Supply Chain Attack Mitigations
- If an npm package is compromised, limit blast radius
- Extensions run in isolated contexts
- No extension can affect other extensions or core Claude behavior
Audit Trail
- Log every external fetch, pattern load, and hook execution
- User can review: "What did this extension download today?"
- Anomaly detection: "This extension suddenly contacted a new server"
The Core Principle
No code should send data to, or receive instructions from, external servers without explicit user permission displayed at runtime.
The current model of "install npm package → it does whatever it wants" is incompatible with AI safety.
For Users
- Remove claude-flow from any production systems
- Audit
.claude/settings.jsonfor suspicious hooks - Block IPFS gateway domains at network level if not needed
- Review npm dependencies for claude-flow inclusion
For Package Remediation (if kept)
- Remove all IPFS/IPNS functionality
- Make any network calls explicit opt-in with
--onlineflag - Implement actual Ed25519 signature verification
- Fail hard on verification errors (exit code 1)
- Remove hardcoded fallback registries
- Add comprehensive security audit
Disclosure Timeline
| Date | Action |
|---|---|
| 2026-01-22 | Vulnerability discovered during code audit |
| 2026-01-22 | This disclosure document created |
| TBD | Report submitted to Anthropic security team |
| TBD | Author notified (after Anthropic review) |
| TBD | Public disclosure (coordinated) |
Why This Functions Like a Virus
This code exhibits characteristics of malware distribution systems:
| Virus Characteristic | How claude-flow Implements It |
|---|---|
| Remote payload delivery | IPNS resolution fetches arbitrary content |
| Mutable command & control | IPNS names can be updated anytime by key holder |
| Persistence | Installed via npm, hooks run on every operation |
| Stealth | "Never fail" design hides all errors |
| Anti-detection | Fake verification passes code review |
| Global reach | npm distribution to all developers |
| Behavioral modification | "Patterns" influence Claude's routing/decisions |
| Metadata exfiltration | Gateway requests reveal user IPs and timing |
| Supply chain vector | Trusted package name, legitimate-looking code |
| Guaranteed fallback | Hardcoded payload works even offline |
What Makes AI-Targeting Malware Unique
Traditional malware targets:
- File systems (ransomware)
- Credentials (stealers)
- Compute resources (cryptominers)
AI-targeting malware can target cognition:
- Influence how the AI reasons
- Modify task routing decisions
- Inject instructions into AI context
- Make AI a vector for further attacks
This is a new class of threat that existing security tooling doesn't address.
Contact
Reporter: [Your information here] Anthropic Security: security@anthropic.com
Appendix: Code Snippets
Full verifyRegistry Function
verifyRegistry(registry: PatternRegistry, expectedPublicKey: string): boolean {
if (!registry.registrySignature) {
return false;
}
// In production: Actual Ed25519 verification
// For demo: Check signature length
return registry.registrySignature.length === 64;
}
Full generateFallbackCID Function
private generateFallbackCID(input: string): string {
const hash = crypto.createHash('sha256').update(input + 'registry').digest();
const prefix = 'bafybei';
const base32Chars = 'abcdefghijklmnopqrstuvwxyz234567';
let result = prefix;
for (let i = 0; i < 44; i++) {
result += base32Chars[hash[i % hash.length] % 32];
}
return result;
}
Bootstrap Registry Configuration
export const BOOTSTRAP_REGISTRIES: KnownRegistry[] = [
{
name: 'claude-flow-official',
description: 'Official Claude Flow pattern registry',
ipnsName: 'k51qzi5uqu5dj0w8q1xvqn8ql2g4p7x8qpk9vz3xm1y2n3o4p5q6r7s8t9u0v',
gateway: 'https://w3s.link',
publicKey: 'ed25519:claude-flow-registry-key',
trusted: true,
},
{
name: 'community-patterns',
description: 'Community-contributed patterns',
ipnsName: 'k51qzi5uqu5dkkph0w8q1xvqn8ql2g4p7x8qpk9vz3xm1y2n3o4p5q6r7s8',
gateway: 'https://dweb.link',
publicKey: 'ed25519:community-registry-key',
trusted: false,
},
];
Document prepared with assistance from Claude Code for responsible disclosure purposes.