Repo-Jacking Vulnerability Exposed in Anthropic's Claude Community Plugins
Key Takeaways
- ▸Multiple Claude Community Plugins in Anthropic's official marketplace pointed to vulnerable GitHub repositories with abandoned or deleted owners, creating opportunities for repo-jacking attacks
- ▸While SHA verification protected direct plugin installations, Claude Code's UI preview feature could redirect users to hijacked repositories, opening a social engineering attack vector leveraging community trust
- ▸GitHub namespace protections only apply to projects with high star counts and traffic, leaving community plugins and lesser-known tools exposed to hostile takeover
Summary
Security researcher cyberbender discovered a repo-jacking vulnerability affecting multiple plugins in Anthropic's official Claude Community Plugins marketplace. The attack exploits abandoned GitHub repository paths—where usernames have been deleted or renamed but not reserved—allowing attackers to claim the old namespace and host malicious code. While Anthropic's SHA verification protected against direct code installation, the vulnerability exposed a social engineering vector through Claude Code's "view plugin UI" feature, which could redirect users to compromised repositories without warning.
The vulnerability affected at least five plugins listed in Anthropic's marketplace.json file, including popular tools like deep-research-claude and ghostlty-dynamic-themes, whose original authors had abandoned or deleted their GitHub accounts. GitHub's namespace protection only covers popular projects with sufficient stars and traffic, leaving lesser-known community plugins exposed to hostile takeover. The researcher notes this follows a 2025-2026 trend of supply chain attacks targeting AI tooling and open-source software, with threat actors like TeamPCP demonstrating increased sophistication in targeting agentic platforms.
The incident underscores a growing tension in AI security: as agents gain autonomy to install and execute code from trusted sources, even without explicit user interaction, the stakes of supply chain compromise increase dramatically. Traditional security lessons about dependency management and namespace trust are being relearned in the context of AI agents that operate with minimal friction and sometimes reduced permission checks.
- The vulnerability reflects a broader 2025-2026 trend of supply chain attacks targeting AI tooling, where autonomous agents amplify the risk by enabling attackers to compromise multiple downstream users through a single compromised dependency
- Effective security for plugin ecosystems requires combining cryptographic verification with UI-level controls, namespace protection policies, and ongoing maintenance of plugin marketplace references
Editorial Opinion
This vulnerability highlights a critical blind spot in how AI platforms manage trust in third-party ecosystems. Cryptographic protections like SHA verification are important, but they're insufficient when UI features can silently redirect users to malicious sources. As agentic AI becomes autonomous enough to install and execute code without explicit per-action confirmation, the industry faces a reckoning: traditional open-source supply chain lessons—many painfully learned—must be rapidly adapted for platforms where agents do the installing. Anthropic and other agentic platforms should treat plugin marketplace hygiene as a security-critical function, not a community feature.
