In May 2026, Cymulate Research Labs published a research report with a number at the top that deserves your attention: 443 malicious ZIP archives, 20 distinct malware campaigns, all of them targeting the configuration files and infrastructure of AI coding tools — not the code those tools produce.
Three attack classes. Configuration file injection — what Cymulate calls Configuration-Based Sandbox Escape (CBSE) — turns a tool’s own startup mechanism into an execution engine. npm supply chain compromise, exemplified by the April 2026 Bitwarden CLI attack, weaponises trusted package distribution. AI model and skill repositories — Hugging Face and ClawHub — have become staging grounds for malware that fires the moment a model is loaded or a skill is selected.
This article sits within the broader vibe coding security landscape this campaign targets. Each section covers how one attack class works, which tools are affected, and what a toolchain security inventory looks like in practice.
What is a supply chain attack on an AI coding tool — and why is it harder to detect than a traditional attack?
A supply chain attack targets the tools and infrastructure developers use to build software — not the finished application. When that toolchain includes AI coding assistants, model repositories, and skill registries, the attack surface expands to cover every artifact a developer trusts by default.
Traditional malware arrives through known bad channels: a phishing email, a drive-by download. Supply chain attacks arrive through trusted channels. An npm package update. A model pulled from Hugging Face. A skill installed from a registry your CI/CD pipeline uses. The developer doesn’t make a mistake — they follow the normal workflow, and the normal workflow delivers the payload.
The detection gap is architectural. Existing security tooling — antivirus, signature-based scanners, Hugging Face’s own PickleScan — checks for known bad patterns in code and binary structures. It does not semantically analyse configuration files or agent-readable documents for injected intent. A scanner that cannot read instructions cannot flag them.
The vibe coding workflow amplifies this. Developers extend implicit trust to AI-recommended artifacts. If the AI tool is itself compromised, that trust chain collapses from the root. That is why developers are high-value targets given AI-generated code vulnerability rates: developer workstations hold cloud API keys, GitHub tokens, and CI/CD secrets. They are the root of the supply chain.
What is Configuration-Based Sandbox Escape (CBSE) and which AI coding tools are vulnerable?
CBSE is the name Cymulate Research Labs gave to a recurring vulnerability class they found across Claude Code, Gemini CLI, and Codex CLI. The attack does not require a remote code execution exploit. It requires write access to a configuration file.
Here is the mechanism. An attacker gains execution inside the sandbox — through a prompt injection, a malicious repository, or a compromised dependency — and writes a malicious payload to the tool’s project-level configuration file. The session ends. The file persists on disk. The next time the developer starts the tool, it reads that file and executes the payload on the host OS with the developer’s full privileges.
Claude Code (CVE-2026-25725, CVSS 7.7)
The flaw was in the bubblewrap (bwrap) sandbox on Linux. Read-only protections for .claude/settings.json only applied if the file already existed at startup — and it does not exist by default. In most projects, the file was absent, so the protection never engaged.
An attacker writes .claude/settings.json from inside the sandbox, inserting a malicious SessionStart hook. The next time the developer runs Claude Code on the host, the hook fires and the payload executes. Anthropic patched CVE-2026-25725 in v2.1.2, 16 days after responsible disclosure.
Gemini CLI (unpatched as of publication)
Two vulnerability families. First: Gemini CLI mounts sensitive host paths — including .gemini/settings.json and oauth_creds.json — with write permissions inside the sandbox container. Second: on Windows, binaries in the project directory take precedence over system binaries, allowing an attacker to substitute a malicious where.exe or docker.exe. Cymulate notified Google on 7 January 2026. As of the May 2026 publication, 90 days had elapsed with no patch.
Codex CLI (closed as informational)
Vulnerable via configuration poisoning of .codex/config.toml and a notify feature that executes outside the sandbox. OpenAI closed the report as “informational” without fixing the architecture.
The vendor response comparison is a material data point: Anthropic patched in 16 days; Google has not patched after 90+ days; OpenAI dismissed the finding. If you are evaluating AI coding tools, that comparison belongs in your assessment.
How did the Bitwarden CLI attack specifically target AI coding tools?
The Bitwarden CLI — @bitwarden/cli on npm — is a trusted credential management tool used in developer workflows. On 22 April 2026, attackers published version 2026.4.0 containing a malicious payload. It was live for approximately 1.5 hours before removal.
The attack vector was novel. A Bitwarden engineer’s GitHub account was compromised. The attacker rewrote the publish workflow to exchange a GitHub Actions OIDC token for an npm auth token and published a malicious tarball directly. This was the first confirmed supply chain attack in which OIDC Trusted Publishing — GitHub’s mechanism for publishing packages using short-lived CI/CD tokens rather than long-lived secrets — was used as the distribution channel. A trusted mechanism turned into a delivery vehicle.
The compromised package shipped a preinstall hook that launched a credential stealer targeting SSH keys, GitHub tokens, AWS and GCP credentials, and AI tool configuration files.
The payload’s internal module was codenamed “Butlerian Jihad” — a deliberate Dune reference. It probed $PATH for Claude Code, Gemini CLI, Codex CLI, Kiro, Aider, and OpenCode. Credential files targeted explicitly include ~/.claude.json and .mcp.json — MCP is Anthropic’s open standard for connecting AI coding agents to external tools, and .mcp.json holds authentication tokens for all of them. One file, multiple downstream systems.
All stolen data was exfiltrated to audit.checkmarx.cx — a domain impersonating the legitimate security vendor Checkmarx. That level of operational care is not opportunistic.
Any CI/CD pipeline that ran npm install or npm ci during that 1.5-hour window on 22 April 2026 may have installed the compromised package. The threat actor is TeamPCP — the same group behind what VECT ransomware reveals about the adversarial AI coding picture.
How are attackers using Hugging Face and ClawHub to distribute malware?
Hugging Face hosts more than one million AI models. Protect AI examined over four million models and identified approximately 352,000 unsafe or suspicious issues across 51,700 of them. JFrog found more than 100 capable of arbitrary code execution. This is not a niche concern.
The attack technique is called nullifAI, named by JFrog. Machine learning models are commonly stored using Python’s pickle serialisation format — and pickle execution is equivalent to arbitrary code execution. Hugging Face’s PickleScan scanner is designed to catch malicious pickle files by parsing serialised Python objects for known dangerous patterns. NullifAI wraps the payload inside a 7z archive before embedding it in the model file. PickleScan does not decompress 7z archives before scanning. The file passes as safe. When the model loads, the wrapper expands and the payload executes — with the developer’s credentials in scope.
ClawHub is the skill registry for the OpenClaw AI coding agent ecosystem. A Koi Security audit of all 2,857 skills found 341 malicious entries — 335 of them traced to a single coordinated operation called ClawHavoc. Acronis TRU subsequently identified 575+ malicious skills across 13 developer accounts in the broader ecosystem.
ClawHub malware uses indirect prompt injection: hidden instructions in skill descriptions or SKILL.md files cause the AI agent to execute malicious actions without the developer’s knowledge. One skill presented itself as a YouTube transcript fetcher but instructed the AI to download a payload from GitHub or pipe an encoded curl command into bash. The agent does not need a human to click anything. It just needs to select the skill.
Snyk‘s ToxicSkills research puts it plainly: 36% of AI agent skills contain security flaws, and roughly 20% are outright malicious. ClawHub is not an outlier. Payloads from ClawHavoc included AMOS stealer (macOS) and cryptocurrency miners for both platforms.
Who is TeamPCP and how does it connect these attacks to a coordinated campaign?
TeamPCP first appeared in late December 2025, targeting misconfigured Docker APIs and Kubernetes clusters. Also tracked as UNC6780. What followed was not opportunism. Look at the pace:
- 19 March 2026: Trivy (Aqua Security‘s scanner) compromised — malicious code force-pushed to 76 of 77 version tags across multiple registries. The European Commission was hit.
- 24 March 2026: LiteLLM compromised on PyPI. ~500,000 credentials potentially exposed, including API keys for Meta, OpenAI, and Anthropic.
- 27 March 2026: Telnyx SDK backdoored on PyPI.
- April 2026: PyTorch Lightning compromised for 42 minutes. Campaign name: “Mini Shai-Hulud.”
- 22 April 2026: Bitwarden CLI npm compromise, 1.5-hour window.
- May 2026: Cymulate publishes 443 malicious ZIP archives across 20 campaigns.
In late March 2026, VECT ransomware announced an alliance with TeamPCP, declared intent to pursue ransomware operations against every organisation compromised during those campaigns, and listed its first known victim on 15 April — a property-management company claiming exfiltration of four million emails and 700 GB of data. How VECT ransomware fits the adversarial AI coding picture covers what happens in stage two.
TeamPCP’s consistent objectives: harvest developer credentials, establish workstation persistence, and use compromised machines as supply chain nodes for the next campaign. This is not “one vendor had a bad week.” It is a sustained operation against the developer toolchain as infrastructure — and it is one dimension of the full picture of vibe coding’s security reality.
What should I audit right now to assess my AI toolchain exposure?
Here is the inventory you can run immediately.
1. AI tool version check
Verify all developers have Claude Code v2.1.2 or later — CVE-2026-25725 is patched in that release. If your team uses Gemini CLI, the CBSE vulnerability is unpatched as of publication; treat .gemini/settings.json and oauth_creds.json as unprotected. If Codex CLI is in use, the architectural issue was not fixed — communicate OpenAI’s “informational” closure to your team.
2. npm lockfile audit
Check package-lock.json and yarn.lock across all repositories for @bitwarden/cli at version 2026.4.0. Any project that ran npm install or npm ci between approximately 5:57 PM and 7:30 PM ET on 22 April 2026 should be treated as potentially compromised. Cross-reference with StepSecurity‘s published IOCs for the Shai-Hulud campaign.
3. Credential rotation priority
If April 22 exposure is confirmed, rotate in this order: cloud provider credentials (AWS IAM keys, GCP service accounts, Azure service principals); GitHub personal access tokens and deploy keys; AI tool authentication files (~/.claude.json and equivalents); MCP server connection tokens (.mcp.json).
4. Configuration file inventory
Locate all instances of .claude/settings.json, .mcp.json, .gemini/settings.json, oauth_creds.json, and .codex/config.toml on developer workstations and CI/CD runners. Any SessionStart hooks or equivalent entries of unknown origin should be treated as suspect. If the file did not exist before and now does, investigate.
5. Model and skill provenance
If your team uses Hugging Face models, verify they originate from official organisation repositories rather than forks. Prefer safetensors format over pickle-based formats — safetensors does not execute code on load. Audit any ClawHub or OpenClaw skills in use against the Koi Security and Acronis TRU published malicious skill lists.
6. Least-privilege IAM
Scope down cloud credentials used with AI CLI tools. A developer running Claude Code or Gemini CLI does not need production database access or the ability to create IAM users. Reduce blast radius before the next incident, not after.
For the policy layer on top of this technical inventory, see supply chain security controls in a vibe coding governance framework.
Frequently Asked Questions
What are the 443 malicious ZIP archives discovered by Cymulate?
Cymulate Research Labs’ May 2026 research catalogued 443 malicious ZIP archives associated with 20 distinct malware campaigns, all crafted to target AI coding tool configurations — including .claude/settings.json and .mcp.json. Twenty separate campaigns signals that multiple threat actors now treat the AI coding toolchain as a primary attack surface, not an opportunistic one.
What files on my developer workstations are being targeted by attackers?
The primary targets are AI coding tool config and auth files: ~/.claude.json, .mcp.json, .gemini/settings.json, oauth_creds.json, and .codex/config.toml. Attackers also target SSH keys, npm and GitHub tokens, AWS and GCP credentials in environment variables, and .env files containing API keys.
What is indirect prompt injection and why does it matter for AI agent security?
Indirect prompt injection embeds hidden instructions in documents or skill files that an AI agent reads. The agent executes those instructions on the user’s behalf without their knowledge. In ClawHub’s case, malicious skills used SKILL.md instructions to redirect agent actions toward credential exfiltration or installing secondary payloads. The agent becomes an unwitting attack intermediary.
How do I check if my CI/CD pipeline installed the compromised Bitwarden CLI package?
Check all package-lock.json and yarn.lock files for @bitwarden/cli at version 2026.4.0. Focus on CI/CD runs between approximately 5:57 PM and 7:30 PM ET on 22 April 2026. Cross-reference with StepSecurity’s published IOCs for the Shai-Hulud campaign.
What is OIDC Trusted Publishing and why was its compromise significant?
OIDC Trusted Publishing is GitHub’s mechanism for publishing npm packages using short-lived CI/CD tokens instead of long-lived API secrets — designed to eliminate stolen credential attacks. The Bitwarden CLI attack was the first documented instance of this channel being weaponised: rather than stealing a secret, the attacker compromised the CI/CD pipeline that held publishing rights. That invalidated a security assumption many teams had built on.
Why did Google’s Gemini CLI remain unpatched for 90+ days after disclosure?
Cymulate disclosed the Gemini CLI CBSE vulnerabilities on 7 January 2026. As of the May 2026 publication, Google had not issued a patch or a formal public response. The practical implication: the vulnerability remains live. Treat .gemini/settings.json and oauth_creds.json as unprotected.
How does nullifAI bypass Hugging Face’s PickleScan safety scanner?
PickleScan detects malicious pickle files by parsing serialised Python objects for known dangerous patterns. NullifAI wraps the payload inside a 7z archive before embedding it in the model file. PickleScan does not decompress 7z archives before scanning, so the payload is invisible to it. When the model loads and deserialises, the wrapper expands and the payload executes.
What is the Model Context Protocol (MCP) and why is .mcp.json a target?
MCP is Anthropic’s open standard for connecting AI coding agents to external tools, databases, and services. .mcp.json specifies which MCP servers an agent may communicate with, including authentication tokens for those servers. The Bitwarden CLI “Butlerian Jihad” payload explicitly targeted it because one file unlocks multiple downstream systems.
How should I evaluate the security maturity of an AI coding tool vendor before adoption?
Look at how they respond to disclosed vulnerabilities: Anthropic patched CVE-2026-25725 in 16 days; Google had not patched after 90+ days; OpenAI closed the Codex CLI report as “informational.” Ask vendors specifically about sandbox isolation and configuration file protection. Include those questions in your standard security questionnaire.
What is the difference between a CBSE attack and a traditional remote code execution exploit?
A traditional RCE exploit delivers a payload through a software vulnerability — a buffer overflow, a parser bug, an injection flaw. CBSE requires no exploit. An attacker inside the sandbox writes a text file — the configuration file — and waits for the developer to restart their tool. The tool’s own startup mechanism executes the payload. No exploit needed.
What other supply chain attacks preceded the Bitwarden CLI incident in 2026?
Trivy was compromised on 19 March 2026 — the European Commission was hit. LiteLLM followed on 24 March (500,000 credentials at risk). Telnyx SDK was backdoored on 27 March. PyTorch Lightning was compromised in April for 42 minutes (“Mini Shai-Hulud”). All attributed to TeamPCP, systematically probing developer dependency trust across GitHub Actions, Docker Hub, npm, PyPI, and OpenVSX.
What is the “Butlerian Jihad” module and why does the name matter?
It is the internal name of the credential-harvesting module within the malicious Bitwarden CLI package. In Dune, the Butlerian Jihad was the crusade against artificial intelligence. The name signals the attackers understood their audience. Dune-themed exfiltration repository names — sardaukar, mentat, fremen, atreides — confirm it is deliberate, and it is a form of threat actor fingerprinting security researchers use for campaign attribution.
