Educational/Research companion to "The Silent Siege: How AI Coding Tools Became the New Frontline for Cyber Warfare"
THIS REPOSITORY IS FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY.
The exploit demonstrations contained herein are NOT functional weaponized code. They are safe, sandboxed educational examples designed to help security researchers, developers, and organizations understand AI coding assistant vulnerabilities.
NO WORKING EXPLOIT CAPABILITIES - This is an awareness and detection toolkit, NOT an offensive framework.
This repository documents and analyzes security vulnerabilities in Anthropic's Claude Code ecosystem from October 2025 through January 2026. It contains:
- Structured vulnerability database with 7 critical CVEs
- Interactive timeline of attacks and disclosures
- Functional security tools for scanning, detection, and monitoring
- Docker lab environment with vulnerable-by-design demos
- Analysis notebooks for deep-dive research
Note: The exploit demonstrations in this repository implement safe, functional protocol communication for educational purposes within isolated Docker environments. They include:
- Real MCP protocol (JSON-RPC 2.0) client implementation
- Simulated C2 beaconing infrastructure
- Credential harvesting detection patterns
- MITRE ATT&CK mapping for all techniques
- SIEM integration examples
| Category | Contents |
|---|---|
| Vulnerabilities | 7 CVEs (CVSS 7.2-9.8), RCEs, sandbox escapes, command injection |
| Supply Chain Attacks | Nx (8 malicious versions), Shai-Hulud 2.0 (800+ packages), Slopsquatting |
| Real-World Exploits | $500K crypto theft, 17+ orgs extorted, North Korean fraud schemes |
| Scanner Tools | MCP inspector, npm auditor, CLI detector, credential scanner |
| Exploit Demos | Functional MCP RCE (CVE-2025-49596), Yarn C2 plugin (CVE-2025-59828) |
| Defense Tools | MITRE ATT&CK mapper, SBOM generator, SIEM integration, obfuscation utils |
| Lab | Docker-based vulnerable environment for hands-on testing |
# Python tools
pip install -r tools/scanner/requirements.txt
# Docker lab
docker-compose up -d# Scan for MCP vulnerabilities
python tools/scanner/mcp_inspector.py
# Audit npm dependencies
python tools/scanner/npm_audit.py
# Detect AI CLI tools
python tools/scanner/cli_detector.py
# Find exposed credentials
python tools/scanner/credential_scanner.py# File system reconnaissance (educational)
python tools/enumeration/filesystem_enum.py --demo
# Environment variable security audit
python tools/enumeration/env_harvester.py --path .
# Trust boundary mapping for AI setups
python tools/enumeration/trust_boundary_mapper.py --ai-tool claude# Generate CycloneDX SBOM with AI security analysis
python tools/defense/sbom_generator.py --format cyclonedx-json --analyze
# Map CVEs to MITRE ATT&CK framework
python tools/defense/mitre_attack_mapper.py cve CVE-2025-49596
# Test obfuscation detection
python tools/monitoring/obfuscation_utils.py --demo# Run all lab scenarios
./lab/scripts/run_all_scenarios.sh
# Or explore individual scenarios:
# Scenario 1: CVE-2025-49596 - MCP Inspector RCE
cat lab/scenarios/01-mcp-inspector-rce.md
# Scenario 2: Nx Supply Chain Attack (AI-Weaponized npm)
cat lab/scenarios/02-supply-chain-nx.md
# Scenario 3: Unix Tools for Adversarial Operations
cat lab/scenarios/03-unix-tools-adversarial.md# Enter attacker environment
docker exec -it attacker-env /bin/bash
# Functional MCP exploit with JSON-RPC 2.0
python tools/exploits/mcp_rce_demo.py --target vulnerable-mcp --check
# Full exploit chain with C2 simulation
python tools/exploits/mcp_rce_demo.py --target vulnerable-mcp --full-chain --enable-c2
# Yarn C2 plugin generation and server
python tools/exploits/yarn_plugin_demo.py generate
python tools/exploits/yarn_plugin_demo.py serveragentic-ide-security/
├── data/ # Vulnerability databases, timelines, IOCs
├── visuals/ # Interactive D3.js visualizations
├── tools/ # Functional security toolkit
│ ├── scanner/ # Vulnerability scanners
│ │ ├── mcp_inspector.py # MCP vulnerability scanner
│ │ ├── npm_audit.py # Supply chain analyzer
│ │ ├── cli_detector.py # AI CLI tool detection
│ │ └── credential_scanner.py # Credential exposure finder
│ ├── enumeration/ # Security enumeration tools (educational)
│ │ ├── filesystem_enum.py # File system reconnaissance
│ │ ├── env_harvester.py # Environment variable auditor
│ │ └── trust_boundary_mapper.py # Trust boundary analysis
│ ├── exploits/ # Functional exploit demos (Docker only)
│ │ ├── mcp_rce_demo.py # CVE-2025-49596 (MCP Inspector RCE)
│ │ ├── yarn_plugin_demo.py # CVE-2025-59828 (Yarn C2 plugin)
│ │ └── prompt_injection_demo.py # Prompt injection playground
│ ├── monitoring/ # Runtime monitoring & detection tools
│ │ ├── obfuscation_utils.py # Code obfuscation analyzer
│ │ └── siem_integration.py # SIEM event generation
│ └── defense/ # Hardening and mitigation tools
│ ├── mcp_hardening.py # MCP security config generator
│ ├── npm_hardening.py # npm hardening script
│ ├── mitre_attack_mapper.py # CVE to MITRE ATT&CK mapping
│ └── sbom_generator.py # CycloneDX/SPDX SBOM generation
├── lab/ # Docker lab environment
│ ├── dockerfiles/ # Vulnerable container images
│ ├── scenarios/ # Step-by-step exploit guides
│ │ ├── 01-mcp-inspector-rce.md # CVE-2025-49596 walkthrough
│ │ ├── 02-supply-chain-nx.md # Nx attack analysis
│ │ └── 03-unix-tools-adversarial.md # Unix tools abuse
│ ├── scripts/ # Lab management scripts
│ └── results/ # Expected outputs for verification
├── notebooks/ # Jupyter analysis notebooks
└── article/ # Article summary and links
| CVE | Severity | Component | Status |
|---|---|---|---|
| CVE-2025-49596 | 9.4 Critical | MCP Inspector | Patched v0.14.1+ |
| CVE-2025-59828 | 9.8 Critical | Yarn Plugin | Patched v1.0.39+ |
| CVE-2025-52882 | 8.8 High | VS Code Extension | Patched v1.0.24+ |
| CVE-2025-53110 | 7.3 High | Filesystem MCP | Patched 0.6.3+ |
| CVE-2025-53109 | 7.3 High | Filesystem MCP | Patched 2025.7.1+ |
| CVE-2025-54795 | 8.7 High | Command Injection | Pending |
| CVE-2025-54136 | 7.2 High | Cursor MCPoison | Patched v1.3+ |
This repository contains educational security tools for AWARENESS AND DETECTION PURPOSES ONLY.
Unlike offensive frameworks, the exploit demonstrations in this repository are intentionally designed to be safe and non-functional as weapons. They serve purely educational purposes to help security researchers, developers, and organizations understand and defend against AI coding assistant vulnerabilities.
- Only test on systems you own or have explicit permission to test
- Use exploit modules in isolated Docker environments
- Comply with all applicable laws and regulations
- Responsibly disclose any vulnerabilities found
- Use these tools for malicious purposes
- Test on systems without permission
- Share exploits for unauthorized access
See SECURITY.md for full details.
| Metric | Value |
|---|---|
| Critical CVEs | 7 |
| Exposed MCP servers | 560+ |
| Malicious npm packages | 800+ |
| Affected repositories | 25,000+ |
| Confirmed stolen | $500,000+ |
| Organizations extorted | 17+ |
| Research sources | 110+ |
Explore the complete timeline of vulnerabilities and attacks at:
https://skew202.github.io/agentic-ide-security/#timeline
This repository accompanies the research article "The Silent Siege: How AI Coding Tools Became the New Frontline for Cyber Warfare."
Read the full summary: article/summary.md
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
Areas of interest:
- Additional CVE analysis
- New detection patterns
- Translations
- Improved visualizations
This repository is for educational and research purposes only. The authors and contributors are not responsible for misuse of the tools or information contained herein. Always obtain proper authorization before conducting security testing.
MIT License - See LICENSE for details.
Research compiled from 110+ sources including:
- Anthropic Security Bulletins
- Security firms: Ridge Security, Wiz, Datadog, Cymulate, Palo Alto Networks
- Academic papers: arXiv, USENIX, Black Hat, DEF CON
- Community disclosures: RedGuard, Koi Security, Prompt Security
Last Updated: 2026-01-10