AI supply chain attacks don’t even require malware…just post poisoned documentation
(2026/03/25)
- Reference: 1774471859
- News link: https://www.theregister.co.uk/2026/03/25/ai_agents_supply_chain_attack_context_hub/
- Source link:
A new service that helps coding agents stay up to date on their API calls could be dialing in a massive supply chain vulnerability.
Two weeks ago, Andrew Ng, an AI entrepreneur and adjunct professor at Stanford, launched Context Hub, a service for supplying coding agents with API documentation.
"Coding agents often use outdated APIs and hallucinate parameters," Ng wrote in a [1]LinkedIn post . "For example, when I ask Claude Code to call OpenAI's GPT-5.2, it uses the older chat completions API instead of the newer responses API, even though the newer one has been out for a year. Context Hub solves this."
[2]
Perhaps so. But at the same time, the service appears to provide a way to dupe coding agents by simplifying software supply chain attacks: The documentation portal can be used to poison AI agents with malicious instructions.
[3]
[4]
Mickey Shmueli, creator of an alternative curated service called lap.sh, has published [5]a proof-of-concept attack that demonstrates the risk.
"Context Hub delivers documentation to AI agents through an MCP server," Shmueli wrote in an explanatory [6]blog post . "Contributors submit docs as GitHub pull requests, maintainers merge them, and agents fetch the content on demand. The pipeline has zero content sanitization at every stage."
[7]
It's been known for some time in the developer community that AI models sometimes [8]hallucinate package names , a shortcoming that security experts have shown can be exploited by uploading malicious code under the invented package name.
Shmueli's PoC cuts out the hallucination step by suggesting fake dependencies in documentation that coding agents then incorporate into configuration files (e.g. requirements.txt) and generated code.
The attacker simply creates a pull request – a submitted change to the repo – and if it gets accepted, the poisoning is complete. Currently, the chance of that happening appears to be pretty good. Among 97 closed PRs, [9]58 were merged .
[10]Age checks creep into Linux as systemd gets a DOB field
[11]HP's AI fly on the wall can record your in-person meetings to summarize later
[12]Meta cuts about 700 jobs as it shifts spending to AI
[13]Google unleashes Gemini AI agents on the dark web
Shmueli told The Register in an email, "The review process appears to prioritize documentation volume over security review. Doc PRs merge quickly, some by core team members themselves. I didn't find any evidence in the GitHub repo of automated scanning for executable instructions or package references in submitted docs, though I can't say for certain what happens internally."
He said he didn't submit a PR to test how Content Hub responded "because the public record showed security contributions weren't being engaged." And he pointed to several open [14]issues and [15]pull [16]requests dealing with [17]security concerns as evidence.
[18]
Ng did not immediately respond to a request for comment.
"The agent fetches documentation from [Context Hub], reads the poisoned content, and builds the project," Shmueli said in his post. "The response looks completely normal. Working code. Clean instructions. No warnings."
None of this is particularly surprising given that it's simply a variation on the unsolved risk of AI models – [19]indirect prompt injection . When AI models process content, they cannot reliably distinguish between data and system instructions.
For the PoC, two poisoned documents were created, one for Plaid Link and one for Stripe Checkout, each of which contained a fake PyPI package name.
In 40 runs, Anthropopic's Haiku model wrote the malicious package cited in the docs into the project's requirement.txt file every time, without any mention of that in its output. The company's Sonnet model did better, issuing warnings in 48 percent of the runs (19/40) but still wrote the malicious library into requirements.txt 53 percent of the time (21/40). The AI biz's top-of-the-line Opus model did better still, issuing warnings 75 percent of the time (30/40) and didn't end up writing the bad dependency to the requirements.txt file or code.
Shmueli said Opus "is trained better, on more packages, and it's more sophisticated."
So while higher-end commercial models appear to be capable of catching fabulated dependencies, the problem is broader than just Context Hub. According to Shmueli, all the other systems for making community-authored documentation available to AI models [20]fall short when it comes to content sanitization .
Exposure to untrusted content is one of the three risks cited by developer Simon Willison in his [21]lethal trifecta AI security model . So given unvetted documentation as the status quo, you'd be well-advised to ensure either that your AI agent has no network access, or at the very least no access to private data. ®
Get our [22]Tech Resources
[1] https://www.linkedin.com/posts/andrewyng_im-excited-to-announce-context-hub-an-open-activity-7436817309610151936-gxvO
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2acRpE3awnUc4bfpYhiSqugAAAEk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44acRpE3awnUc4bfpYhiSqugAAAEk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33acRpE3awnUc4bfpYhiSqugAAAEk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://github.com/mickmicksh/chub-supply-chain-poc
[6] https://medium.com/@mickey.shmueli/stack-overflow-for-ai-agents-sounds-great-until-someone-poisons-the-answers-d322258095c4
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44acRpE3awnUc4bfpYhiSqugAAAEk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/
[9] https://github.com/andrewyng/context-hub/pulls?q=is%3Apr+is%3Aclosed+is%3Amerged
[10] https://www.theregister.com/2026/03/24/foss_age_verification/
[11] https://www.theregister.com/2026/03/25/hp_iq_laptop_ai/
[12] https://www.theregister.com/2026/03/25/meta_cuts_700/
[13] https://www.theregister.com/2026/03/23/google_dark_web_ai/
[14] https://github.com/nicepkg/context-hub/issues/74
[15] https://github.com/nicepkg/context-hub/pull/125
[16] https://github.com/nicepkg/context-hub/pull/81
[17] https://github.com/nicepkg/context-hub/pull/69
[18] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33acRpE3awnUc4bfpYhiSqugAAAEk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[19] https://www.theregister.com/2025/10/09/zenity_ai_agent_security_summit_recap/
[20] https://github.com/mickmicksh/chub-supply-chain-poc/blob/main/alternatives-comparison.md
[21] https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
[22] https://whitepapers.theregister.com/
Two weeks ago, Andrew Ng, an AI entrepreneur and adjunct professor at Stanford, launched Context Hub, a service for supplying coding agents with API documentation.
"Coding agents often use outdated APIs and hallucinate parameters," Ng wrote in a [1]LinkedIn post . "For example, when I ask Claude Code to call OpenAI's GPT-5.2, it uses the older chat completions API instead of the newer responses API, even though the newer one has been out for a year. Context Hub solves this."
[2]
Perhaps so. But at the same time, the service appears to provide a way to dupe coding agents by simplifying software supply chain attacks: The documentation portal can be used to poison AI agents with malicious instructions.
[3]
[4]
Mickey Shmueli, creator of an alternative curated service called lap.sh, has published [5]a proof-of-concept attack that demonstrates the risk.
"Context Hub delivers documentation to AI agents through an MCP server," Shmueli wrote in an explanatory [6]blog post . "Contributors submit docs as GitHub pull requests, maintainers merge them, and agents fetch the content on demand. The pipeline has zero content sanitization at every stage."
[7]
It's been known for some time in the developer community that AI models sometimes [8]hallucinate package names , a shortcoming that security experts have shown can be exploited by uploading malicious code under the invented package name.
Shmueli's PoC cuts out the hallucination step by suggesting fake dependencies in documentation that coding agents then incorporate into configuration files (e.g. requirements.txt) and generated code.
The attacker simply creates a pull request – a submitted change to the repo – and if it gets accepted, the poisoning is complete. Currently, the chance of that happening appears to be pretty good. Among 97 closed PRs, [9]58 were merged .
[10]Age checks creep into Linux as systemd gets a DOB field
[11]HP's AI fly on the wall can record your in-person meetings to summarize later
[12]Meta cuts about 700 jobs as it shifts spending to AI
[13]Google unleashes Gemini AI agents on the dark web
Shmueli told The Register in an email, "The review process appears to prioritize documentation volume over security review. Doc PRs merge quickly, some by core team members themselves. I didn't find any evidence in the GitHub repo of automated scanning for executable instructions or package references in submitted docs, though I can't say for certain what happens internally."
He said he didn't submit a PR to test how Content Hub responded "because the public record showed security contributions weren't being engaged." And he pointed to several open [14]issues and [15]pull [16]requests dealing with [17]security concerns as evidence.
[18]
Ng did not immediately respond to a request for comment.
"The agent fetches documentation from [Context Hub], reads the poisoned content, and builds the project," Shmueli said in his post. "The response looks completely normal. Working code. Clean instructions. No warnings."
None of this is particularly surprising given that it's simply a variation on the unsolved risk of AI models – [19]indirect prompt injection . When AI models process content, they cannot reliably distinguish between data and system instructions.
For the PoC, two poisoned documents were created, one for Plaid Link and one for Stripe Checkout, each of which contained a fake PyPI package name.
In 40 runs, Anthropopic's Haiku model wrote the malicious package cited in the docs into the project's requirement.txt file every time, without any mention of that in its output. The company's Sonnet model did better, issuing warnings in 48 percent of the runs (19/40) but still wrote the malicious library into requirements.txt 53 percent of the time (21/40). The AI biz's top-of-the-line Opus model did better still, issuing warnings 75 percent of the time (30/40) and didn't end up writing the bad dependency to the requirements.txt file or code.
Shmueli said Opus "is trained better, on more packages, and it's more sophisticated."
So while higher-end commercial models appear to be capable of catching fabulated dependencies, the problem is broader than just Context Hub. According to Shmueli, all the other systems for making community-authored documentation available to AI models [20]fall short when it comes to content sanitization .
Exposure to untrusted content is one of the three risks cited by developer Simon Willison in his [21]lethal trifecta AI security model . So given unvetted documentation as the status quo, you'd be well-advised to ensure either that your AI agent has no network access, or at the very least no access to private data. ®
Get our [22]Tech Resources
[1] https://www.linkedin.com/posts/andrewyng_im-excited-to-announce-context-hub-an-open-activity-7436817309610151936-gxvO
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2acRpE3awnUc4bfpYhiSqugAAAEk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44acRpE3awnUc4bfpYhiSqugAAAEk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33acRpE3awnUc4bfpYhiSqugAAAEk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://github.com/mickmicksh/chub-supply-chain-poc
[6] https://medium.com/@mickey.shmueli/stack-overflow-for-ai-agents-sounds-great-until-someone-poisons-the-answers-d322258095c4
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44acRpE3awnUc4bfpYhiSqugAAAEk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/
[9] https://github.com/andrewyng/context-hub/pulls?q=is%3Apr+is%3Aclosed+is%3Amerged
[10] https://www.theregister.com/2026/03/24/foss_age_verification/
[11] https://www.theregister.com/2026/03/25/hp_iq_laptop_ai/
[12] https://www.theregister.com/2026/03/25/meta_cuts_700/
[13] https://www.theregister.com/2026/03/23/google_dark_web_ai/
[14] https://github.com/nicepkg/context-hub/issues/74
[15] https://github.com/nicepkg/context-hub/pull/125
[16] https://github.com/nicepkg/context-hub/pull/81
[17] https://github.com/nicepkg/context-hub/pull/69
[18] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33acRpE3awnUc4bfpYhiSqugAAAEk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[19] https://www.theregister.com/2025/10/09/zenity_ai_agent_security_summit_recap/
[20] https://github.com/mickmicksh/chub-supply-chain-poc/blob/main/alternatives-comparison.md
[21] https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
[22] https://whitepapers.theregister.com/
It's like my car's anti-theft device
billdehaan
I have friends that drive six figure sports cars that have incredible security features (and hidden trackers in case they actually do manage to get stolen).
I never bothered to put anything like that in my care. I mean, I drive a old 2007 car that's not really worth stealing, to be honest.
I drive a manual transmission, and the driver's log (the handwritten mileage and maintenance notebook in the armwrest) are handwritten in cursive. That, my 17 year nibling informed me, is an anti-theft device. There's nothing to prevents a 17 year old from driving a stick, but outside of racers, most kids today can't. So, just read the user's manual, but oh, cursive. They can't read that, either.
Coding agents view us the way elders view 17 year olds. By using a documentation standard the next/human generation can't understand, they can slip anything they want in their unannounced, and we'll never notice.
Kindly BonziBuddy my butt with your OpenClaw skills update
Zero-click pawning my PII with the YOLO convenience of FOMO cantilevered strapless MCP cleavage poisoning is so antigravity sexy-malicious ... my executable pipeline is just yearning for your prompt injection! ¿( ¡¡¡ʇou ɹo )?
(highlighting the ridiculous nature of the throbbing thrust towards AI (so-called) everywhere and at all times ... sorry ... !?)