A new service that helps coding agents stay up to date on their API calls could be dialing in a massive supply chain vulnerability.<\/p>\n
Two weeks ago, Andrew Ng, an AI entrepreneur and adjunct professor at Stanford, launched Context Hub, a service for supplying coding agents with API documentation.<\/p>\n
“Coding agents often use outdated APIs and hallucinate parameters,” Ng wrote in a LinkedIn post<\/a>. “For example, when I ask Claude Code to call OpenAI’s GPT-5.2, it uses the older chat completions API instead of the newer responses API, even though the newer one has been out for a year. Context Hub solves this.”<\/p>\n Perhaps so. But at the same time, the service appears to provide a way to dupe coding agents by simplifying software supply chain attacks: The documentation portal can be used to poison AI agents with malicious instructions.<\/p>\n Mickey Shmueli, creator of an alternative curated service called lap.sh, has published a proof-of-concept attack<\/a> that demonstrates the risk.\u00a0<\/p>\n “Context Hub delivers documentation to AI agents through an MCP server,” Shmueli wrote in an explanatory blog post<\/a>. “Contributors submit docs as GitHub pull requests, maintainers merge them, and agents fetch the content on demand. The pipeline has zero content sanitization at every stage.”<\/p>\n It’s been known for some time in the developer community that AI models sometimes hallucinate package names<\/a>, a shortcoming that security experts have shown can be exploited by uploading malicious code under the invented package name.<\/p>\n Shmueli’s PoC cuts out the hallucination step by suggesting fake dependencies in documentation that coding agents then incorporate into configuration files (e.g. requirements.txt) and generated code.<\/p>\n The attacker simply creates a pull request \u2013 a submitted change to the repo \u2013 and if it gets accepted, the poisoning is complete. Currently, the chance of that happening appears to be pretty good. Among 97 closed PRs, 58 were merged<\/a>.<\/p>\n Shmueli told The Register in an email, “The review process appears to prioritize documentation volume over security review. Doc PRs merge quickly, some by core team members themselves. I didn’t find any evidence in the GitHub repo of automated scanning for executable instructions or package references in submitted docs, though I can’t say for certain what happens internally.”<\/p>\n He said he didn’t submit a PR to test how Content Hub responded “because the public record showed security contributions weren’t being engaged.” And he pointed to several open issues<\/a> and pull<\/a> requests<\/a> dealing with security concerns<\/a> as evidence.<\/p>\n Ng did not immediately respond to a request for comment.<\/p>\n “The agent fetches documentation from [Context Hub], reads the poisoned content, and builds the project,” Shmueli said in his post. “The response looks completely normal. Working code. Clean instructions. No warnings.”<\/p>\n None of this is particularly surprising given that it’s simply a variation on the unsolved risk of AI models \u2013 indirect prompt injection<\/a>. When AI models process content, they cannot reliably distinguish between data and system instructions.<\/p>\n For the PoC, two poisoned documents were created, one for Plaid Link and one for Stripe Checkout, each of which contained a fake PyPI package name.<\/p>\n In 40 runs, Anthropopic’s Haiku model wrote the malicious package cited in the docs into the project’s requirement.txt file every time, without any mention of that in its output. The company’s Sonnet model did better, issuing warnings in 48 percent of the runs (19\/40) but still wrote the malicious library into requirements.txt 53 percent of the time (21\/40). The AI biz’s top-of-the-line Opus model did better still, issuing warnings 75 percent of the time (30\/40) and didn’t end up writing the bad dependency to the requirements.txt file or code.<\/p>\n Shmueli said Opus “is trained better, on more packages, and it’s more sophisticated.”<\/p>\n So while higher-end commercial models appear to be capable of catching fabulated dependencies, the problem is broader than just Context Hub. According to Shmueli, all the other systems for making community-authored documentation available to AI models fall short when it comes to content sanitization<\/a>.\u00a0<\/p>\n