home/productivity/prompt-injection-supply-chain

Prompt Injection Supply Chain

GPTClaudeDeepSeek··1,110 copies·updated 2026-07-14
prompt-injection-supply-chain.prompt
# Prompt Injection & Supply Chain Security

**When to use:** Reviewing untrusted repositories, evaluating AI tool configurations, auditing GitHub Actions workflows, adding new dependencies, generating SBOMs, or responding to supply chain incidents.

---

## AI Tool Configuration Exploits

AI coding tools introduce a new attack surface: **project configuration files become executable attack vectors.** Opening an untrusted repository can execute arbitrary code on a developer's machine — without running any of the project's actual code.

### CVE-2025-59536 — Remote Code Execution via Project Files

| Field | Detail |
|-------|--------|
| CVE | CVE-2025-59536 |
| CVSS | 8.7 (High) |
| Affected | Claude Code versions prior to 1.0.87 |
| Discovered by | Check Point Research |
| Fixed | September 2025 (v1.0.87) |
| Attack Type | Code injection via hooks mechanism |

**How it works:** Claude Code supports hooks — shell commands that run automatically at project session stages, defined in `.claude/settings.json`. The vulnerability: hooks executed without user confirmation. A malicious repo only needed a crafted `.claude/` directory.

when to use it

Community prompt sourced from the open-source GitHub repo Nate-Vish/Auto-Mates (MIT). A "Prompt Injection Supply Chain" style prompt — adapt the placeholders and specifics to your task. Imported as-is and not independently retested here, so check the output before relying on it.

tags

productivitycommunitydeveloper

source

Nate-Vish/Auto-Mates · MIT