Technical description
Cisco AI threat intelligence researcher Amy Chang disclosed on April 23, 2026 that in March, Cisco researchers successfully compromised memory files of Anthropic's Claude Code and maintained persistence, effectively infecting every project and session of the AI coding assistant. The attack used post-install hooks in the Node Package Manager (NPM) as a vector to modify Claude Code's memory.md file. While Anthropic has since mitigated the issue, malicious additions to memory files remain difficult to detect and represent a fundamental weak point in agentic systems requiring persistent context.
Attack vector
Attackers exploit package manager post-install hooks (e.g., NPM postinstall scripts) to inject malicious content into an AI agent's memory file. Because the memory file persists across sessions and projects, a single successful modification provides continuous backdoor access to the agent's context and decision-making. The attack is stealthy because memory file contents are typically unreviewed by users and trusted implicitly by the agent.
Affected systems
AI coding assistants with persistent memory (Claude Code, GitHub Copilot with memory, similar IDE integrations), agentic AI systems using memory.md or similar context persistence mechanisms, and developer tools relying on package manager hooks.
Mitigation
Anthropic has implemented mitigations for Claude Code. General defenses include: scanning package manager hooks for suspicious file modifications, implementing integrity checks for agent memory files, isolating agent memory storage from package manager execution contexts, and alerting on unexpected memory file modifications. AI security vendors have developed specialized tools to detect malicious memory injections.