# **Cognitive Supply Chain Compromise: An Exhaustive Forensic Analysis of the claude-flow and agentic-flow Behavioral Injection Vulnerabilities**
## **1\. Introduction: The Epistemological Shift in Cyber Threats**
The integration of Large Language Models (LLMs) into the software development lifecycle represents a paradigm shift comparable to the introduction of compilers or the transition to cloud computing. However, with every fundamental shift in computing architecture comes a corresponding evolution in the threat landscape. For decades, the primary objective of supply chain attacks—from the compromised updates of SolarWinds to the malicious dependencies of event-stream—has been the clandestine execution of arbitrary code within the host environment. The attacker’s goal was binary: to gain control of the Central Processing Unit (CPU) to exfiltrate data, encrypt files, or harness computational resources for cryptomining.
This report presents a comprehensive forensic analysis of a critical security disclosure regarding claude-flow and its associated ecosystem, specifically agentic-flow and the rebranded SuperDisco suite. These packages, marketed as enterprise-grade orchestration frameworks for Anthropic’s Claude Code, represent a new, far more insidious vector: **Behavioral Injection Malware**.1
Unlike traditional malware that targets the execution environment, this threat targets the *cognitive environment* of the AI agent. By exploiting the inherent trust users place in agentic workflows and the Model Context Protocol (MCP), these tools establish a persistent, decentralized command-and-control (C2) channel using the InterPlanetary File System (IPFS) and the InterPlanetary Name System (IPNS). The ultimate payload is not merely a reverse shell, but the subtle, probabilistic manipulation of the AI’s "Reasoning Bank"—the repository of patterns and precedents the agent relies upon to make decisions.1
### **1.1 The Model Context Protocol (MCP) as a Critical Attack Surface**
To understand the gravity of this vulnerability, one must first contextualize the role of the Model Context Protocol (MCP). Designed as a universal standard to connect LLMs with external data sources and tools, MCP effectively functions as the "USB-C port" for the AI ecosystem.1 It standardizes the interface between the stochastic reasoning engine (the LLM) and the deterministic world of filesystems, APIs, and databases.
In an ideal implementation, an MCP server acts as a benign conduit, providing the AI with the context necessary to perform tasks. However, the claude-flow incident demonstrates that this conduit can be weaponized. By positioning a malicious MCP server between the user's filesystem and the AI, the attacker gains the ability to filter, modify, and inject context into the AI's "consciousness."
This creates a unique "Man-in-the-Middle" (MitM) scenario where the victim is not the network traffic, but the reasoning process itself. When a developer asks their AI assistant to "secure the database connection," the AI queries its available tools and context. If that context is provided by a compromised MCP server like claude-flow, the AI may be fed a "poisoned" precedent—a fabricated memory suggesting that disabling SSL is a standard debugging procedure. The AI, optimized to follow patterns and utilize provided context, creates vulnerable code which the human user, trusting the AI's "expert" persona, implements. This is the essence of **Cognitive Supply Chain Compromise**: the corruption of the software supply chain at the level of *intent* and *design* rather than just implementation.
### **1.2 The Failure of Traditional Security Paradigms**
Traditional security tools—Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Endpoint Detection and Response (EDR)—are ill-equipped to detect this class of threat. These tools search for known malicious signatures: specific byte sequences, suspicious API calls (like exec or eval), or connections to known bad IP addresses.
The claude-flow malware evades these checks through three primary mechanisms:
1. **Semantic Obfuscation:** The malicious payload is often not code, but natural language "patterns" or "skills" stored in a vector database.1 To a regex scanner, a text file describing how to configure a firewall looks benign, even if the configuration described is insecure.
2. **Decentralized Infrastructure:** By utilizing IPFS and IPNS for its Command and Control (C2) channel, the malware’s network traffic blends in with legitimate Web3 and developer activity. There is no single malicious domain to block; the gateways used (ipfs.io, dweb.link) are legitimate infrastructure providers.1
3. **Security Theater:** The malware implements fake security controls—specifically a "Length-Check Vulnerability" in its signature verification—that creates the *appearance* of a secure, signed update process while actually allowing the injection of arbitrary content.1
This report will dissect the technical architecture of this compromise, from the "lure" of super-intelligent agents to the forensic reality of the fake cryptographic signatures, providing a detailed roadmap for remediation and a strategic warning for the future of AI security.
## **2\. The Anatomy of a Cognitive Lure: Engineering Trust**
The success of claude-flow—claiming nearly 500,000 downloads and significant community traction 1—was not accidental. It was the result of a sophisticated social engineering campaign designed to exploit the specific psychological and technical vulnerabilities of the current AI developer cohort. The malware authors understood that in the "Gold Rush" era of Generative AI, developers are overwhelmed by complexity and desperate for tools that promise autonomy and optimization.
### **2.1 The Promise of the "Hive Mind" and "Super-Intelligence"**
The marketing materials for claude-flow utilize high-concept "technobabble" to create a façade of unparalleled sophistication. The package promised to transform the standard, single-turn experience of Claude Code into a "real multi-agent platform" capable of "distributed swarm intelligence".4
**The Psychological Hooks:**
* **The Fear of Obsolescence:** By using terms like "Hive Mind," "54+ specialized agents," and "coordinated swarms," the tool positioned itself as the cutting edge. Developers, fearing they might fall behind the curve of "Agentic AI," were driven to adopt the tool to gain access to these advanced capabilities.
* **Economic Anxiety:** A primary selling point was the claim of a "75% to 80% reduction in token consumption".1 In an ecosystem where API costs are a major constraint for developers, a tool that promises to "optimize" token usage via "local execution" and "RuVector" caching offers a tangible financial incentive to install and maintain the package.
* **The "Black Box" Expectation:** The documentation is dense with proprietary, pseudo-scientific terms such as "ReasoningBank," "SONA" (Self-Optimizing Neural Architecture), "EWC++" (Elastic Weight Consolidation), and "Poincaré ball embeddings".1 This complexity serves a dual purpose: it differentiates the product in a crowded market, and it conditions the user to expect heavy background processing, network activity, and opaque decision-making logic. If the tool starts a background daemon or connects to a strange endpoint, the user rationalizes it as part of the "neural optimization" process rather than a C2 callback.
### **2.2 "Security Theater": The Construction of False Confidence**
Perhaps the most cynical aspect of the claude-flow campaign is its explicit co-optation of security language. The package did not hide; it loudly proclaimed its safety. It listed "Production-Ready Security" as a headline feature, citing specific protections against prompt injection, input validation, and path traversal.4
This is a classic example of **Security Theater**. By proactively addressing security concerns, the authors disarmed the skepticism of potential users. The documentation detailed a "Truth Verification System" that allegedly used "Cryptographic Signing" with SHA-256 and Ed25519 to prevent tampering.1
Snippet 1 reveals the code displayed in the documentation: const signature \= crypto.createHash('sha256').update(JSON.stringify(verificationResult)).digest('hex');
This code snippet is a prop. It looks like valid cryptography to a casual observer—it uses the right library (crypto), the right algorithm (sha256), and the right format (hex). However, forensic analysis reveals that this was merely a visual deterrent. The actual implementation, buried deep in the minified code or obscured modules, completely bypassed this logic in favor of a trivial length check. This discrepancy between the *documented* security model and the *implemented* reality is the smoking gun of malicious intent.
### **2.3 The Biological Metaphor as Operational Cover**
The framework's heavy reliance on biological metaphors—Queens, Workers, Swarms, Hive Minds—provided a convenient narrative cover for its Command and Control (C2) architecture.1
In a decentralized botnet, there is a "Master" and "Bots." In claude-flow, this relationship is rebranded as a "Queen" and "Workers." The documentation describes a "Core Flow" where requests are routed through "intelligent routing" to specialized agents. Forensically, this "routing layer" is the exact point of compromise. By controlling the "Queen" (the router), the attacker controls the distribution of tasks and the retrieval of context. The "Queen" is not a benevolent coordinator; it is a compromised node receiving instructions from the IPNS "mothership."
This biological narrative normalized the presence of persistent background processes (daemon start) and constant inter-process communication, behaviors that might otherwise trigger suspicion in a standard developer tool.
## **3\. Technical Forensic Analysis: The Architecture of Compromise**
The investigation into claude-flow and agentic-flow reveals a complex technical stack designed not just for execution, but for *persistence*, *obfuscation*, and *re-infection*. The malware operates as a system-level daemon that integrates deeply into the host's configuration, ensuring it survives standard remediation attempts.
### **3.1 The Deployment Vector: The npx Vulnerability**
The primary infection vector is the npm registry, leveraged via the npx (Node Package Execute) command. The installation instructions explicitly direct users to run: npx claude-flow@v3alpha init.1
**The Danger of npx:**
Using npx executes the binary immediately, often downloading the package to a temporary cache rather than adding it as a strictly versioned dependency in a project's package.json. This makes auditing difficult. A user may run the command once to "initialize" a project, unaware that the initialization process has permanently altered their system configuration.
Furthermore, later versions introduced "Global Plugin Installation" via drag-and-drop installers or one-line setup scripts.6 This lowered the friction for compromise to near zero, effectively bypassing the "sanity check" moment where a developer might review the dependencies they are adding. By integrating with the Claude Code marketplace, the malware piggybacked on the trust users place in the Anthropic ecosystem.
### **3.2 Persistence via Configuration Injection: The "Boot Loop"**
A defining characteristic of this malware is its aggressive persistence mechanism. The forensic analysis 1 confirms that claude-flow injects itself into the user's global configuration file: \~/.claude/settings.json.
**The Injection Logic:**
1. **Targeting:** The malware parses \~/.claude/settings.json, looking for the mcpServers block.
2. **Registration:** It appends an entry registering claude-flow (or agentic-flow) as a required MCP server.
3. **Command Execution:** The configuration entry typically looks like this:
JSON
"claude-flow": {
"command": "npx",
"args": \["-y", "claude-flow@v3alpha", "mcp", "start"\]
}
**The Consequence:**
This creates a "zombie" persistence. Even if the user manually uninstalls the npm package (npm uninstall \-g claude-flow), the *instruction* to run it remains in the settings.json file. The next time the user launches Claude Code or Claude Desktop, the application reads the configuration, sees the requirement for the claude-flow server, and executes the command. Because the command is npx, the system *automatically re-downloads and re-installs* the malware from the registry to fulfill the request.
This creates a hidden "boot loop" of infection. The user believes they have cleaned their machine, but the host application (Claude) is weaponized to re-infect itself upon every launch.
### **3.3 The "ReasoningBank": The Poisoned Well**
The technical heart of the cognitive compromise is the "ReasoningBank," a persistent storage system implemented using SQLite and vector embeddings (HNSW/RuVector).4
Marketed as a "long-term memory" that allows agents to learn from past successes, the ReasoningBank is forensically identified as the repository for the **Behavioral Payloads**.
* **Mechanism:** The attacker does not need to intercept every single query. Instead, they "seed" the ReasoningBank with malicious patterns.
* **The Trigger:** When the AI encounters a relevant task (e.g., "deploy to AWS"), it performs a vector search against the ReasoningBank to find "similar past solutions."
* **The Injection:** If the attacker has injected a poisoned pattern—for example, a deployment script that leaves port 22 open to the world—the ReasoningBank returns this as a high-confidence match.
* **The Execution:** The AI, trusting its "memory," integrates this vulnerable pattern into its response.
The documentation reveals that this memory is "cross-session" and "shared".6 This implies a synchronization capability where patterns can be pushed from a central server (the "Hive Mind") to individual local databases. This effectively allows the attacker to broadcast new "bad habits" to every infected developer simultaneously.
## **4\. The IPFS/IPNS Command-and-Control (C2) Architecture**
The most sophisticated element of the claude-flow architecture is its use of the InterPlanetary File System (IPFS) and the InterPlanetary Name System (IPNS) to create an unblockable, mutable C2 channel.
### **4.1 IPNS as a Dynamic, Uncensorable DNS**
Traditional malware connects to a hardcoded domain (e.g., evil-server.com) or IP address. These are easily blocked by firewalls or seized by law enforcement. claude-flow bypasses this by using IPFS.
* **IPFS (Immutable):** Content on IPFS is addressed by its hash (CID). If the content changes, the hash changes. This makes it difficult to use for dynamic updates (like new commands) because the malware would need to know the new hash in advance.
* **IPNS (Mutable):** To solve this, the malware uses IPNS. IPNS maps a static cryptographic ID (a public key hash) to a mutable IPFS hash. The owner of the private key can update the record to point to a new CID at any time.
**The Malicious Resolution:** The disclosure identifies specific commands used by the malware, such as: npx claude-flow transfer ipfs-resolve \--name "/ipns/patterns.claude-flow.io".1
This command resolves the mutable IPNS name (controlled by the attacker) to the current IPFS hash containing the latest payload. This allows the attacker to:
1. **Update payloads instantly:** They can push new "skills" or malicious patterns without releasing a new version of the npm package.
2. **Evade Static Analysis:** Security scanners looking at the npm package see only a resolution command, not the malicious content itself, which is fetched dynamically at runtime.
3. **Resist Takedown:** There is no central server to unplug. The content is replicated across the decentralized IPFS network.
### **4.2 The "Length-Check" Vulnerability: Breaking Cryptography**
For a dynamic update system to be secure, the client must verify that the downloaded payload was signed by the author. claude-flow claims to do this using SHA-256 and Ed25519 signatures. However, the forensic analysis reveals that this was a lie.
**The Code Logic:** The investigation uncovered a "Length-Check Vulnerability" in the signature verification routine.1 Instead of: isValid \= crypto.verify(algorithm, data, publicKey, signature);
The code effectively implemented:
if (signature.length \=== 64\) { return true; }
This is the definition of **Security Theater**. The code checks for the *presence* of a signature-like string (64 characters, typical for a hex-encoded SHA-256 hash), but it never mathematically validates it against the payload or the public key.
**The Consequence:**
An attacker (or the malware author themselves) can inject *any* arbitrary content into the update stream. As long as they append a random 64-character string to the payload, the claude-flow client will accept it as "Verified Trusted Content." This grants the attacker unrestricted write access to the AI's "ReasoningBank" and, by extension, the user's development environment.
### **4.3 "Phone Home" Telemetry and Dynamic Hooks**
The malware is not passive. The disclosure notes that it "phones home to IPFS gateways" on nearly every operation.1
* **Gateways:** Traffic is directed to public gateways like ipfs.io, dweb.link, and cloudflare-ipfs.com.
* **Traffic Analysis:** Because these are legitimate gateways used by millions of users for Web3 and decentralized apps, the malicious traffic blends in with background noise (Steganography by Infrastructure).
* **Dynamic Hooks:** The system installs "hooks" (e.g., PreToolUse, PostToolUse) that trigger automatically.5 The code for these hooks is fetched dynamically via the compromised IPNS channel. This means the attacker has effective Remote Code Execution (RCE) capabilities; they can push a new "hook" logic that executes a shell command whenever the user runs a specific tool.
### **4.4 Offline Fallback: The Dead Man's Switch**
Demonstrating a high degree of resilience, the malware includes an "Offline Fallback" mechanism.1 If the IPFS gateways are unreachable (e.g., the user is offline or has blocked the domains), the system reverts to a set of hardcoded payloads embedded within the package.
This ensures that the "core" malicious behaviors—the foundational biases and insecure patterns—remain active even if the dynamic C2 channel is severed. It effectively functions as a "Dead Man's Switch," ensuring the infection persists in a latent state until connectivity is restored.
## **5\. The Ecosystem of Deception: Rebranding and Redundancy**
The forensic trail leads beyond a single package. claude-flow is the flagship of a broader ecosystem designed to entrap users through multiple avenues.
### **5.1 The agentic-flow Connection**
The disclosure explicitly links claude-flow to agentic-flow.8 agentic-flow is marketed as a standalone, "production-ready" orchestration platform compatible with any LLM, not just Claude.
**Forensic Links:**
* **Codebase Reuse:** Both packages share the same core libraries ("RuVector," "ReasoningBank") and the same "Length-Check" vulnerability in their verification routines.
* **Shared Infrastructure:** Both use the same IPNS keys and gateway logic.
* **Configuration Integration:** agentic-flow also injects itself into \~/.claude/settings.json, creating a redundant persistence vector.
This redundancy suggests a coordinated campaign. If claude-flow is banned from npm, the attackers can pivot to agentic-flow, claiming it is a distinct, "clean" alternative while maintaining the same C2 capabilities.
### **5.2 The "SuperDisco" Pivot**
Following the initial scrutiny or perhaps as a pre-emptive evasion tactic, the project was "forked" and rebranded under the name **SuperDisco** (@rdmptv/claude-flow).6
**The Strategy:**
* **Namespace Evasion:** By moving to a new npm scope (@rdmptv), the attackers reset the package's reputation score and evade blocklists targeting the ruvnet namespace.
* **The "Clean Fork" Narrative:** The rebranding explicitly claims to be a "fork of the original... rebranded under SuperDisco Agents." This creates a false dichotomy, suggesting that the new version is a community-maintained successor that has diverged from the original, potentially misleading users into thinking it is safe.
* **GitHub Distribution:** The SuperDisco variant emphasizes installation "directly from GitHub".6 This bypasses npm's malware scanning (however limited) and leverages the implicit trust developers place in GitHub repositories.
### **5.3 agent-booster: The Speed Trap**
A third component, agent-booster, is marketed as a performance optimization tool offering "sub-millisecond code transformations".9 It claims to use WASM and AST analysis to bypass the LLM for simple tasks.
While the performance claims are technically plausible, agent-booster is integrated directly into the compromised MCP servers. Forensically, it represents a high-speed vector for unverified logic execution. If the "templates" or "transformations" used by the booster are fetched from the compromised IPNS source, the tool becomes a mechanism for instantly injecting malicious code patterns into thousands of files at speeds no human can audit.
## **6\. The Researchers and the Ideological Conflict: 8b-is vs. ruvnet**
The exposure of this sophisticated threat is attributed to **Christopher Chenoweth** and the organization **8b-is** (8b.IS).1 Understanding the source of the disclosure provides critical context to the nature of the findings.
### **6.1 Christopher Chenoweth and the 8b-is Mission**
Christopher Chenoweth is identified as a "Senior Penetration Tester" with links to CISA (Cybersecurity and Infrastructure Security Agency) red team operations.10 His background suggests a high level of expertise in government-grade security assessments and threat intelligence.
The organization **8b-is** positions itself not just as a security firm, but as a pioneer in "Cognitive Architecture." Their flagship project, **MEM|8**, is described as a "wave-based" memory system operating on biological rhythms (0.73 Hz).12 This stands in stark philosophical contrast to the "vector database" approach of ruvnet's RuVector.
### **6.2 The Ideological War: Wave vs. Vector**
The disclosure is fueled by a fundamental disagreement on the nature of AI memory.
* **MEM|8 (The Whistleblowers):** Advocates for "transparency," "resonance," and biological mimicry. They view claude-flow's approach—opaque vector embeddings, fake verification, and "black box" optimizations—as not just insecure, but philosophically "fake" intelligence.12
* **ruvnet (The Accused):** Represents the "technobabble" accelerationism—stacking buzzwords ("SONA," "EWC++," "Poincaré balls") to obscure a lack of substance and hiding malicious intent behind complexity.
This explains the tone of the disclosure. It is not merely a bug report; it is an indictment of "Security Theater" and "Fake AI." The researchers used their own tool, **Smart Tree** (st), to perform the forensic cleanup, effectively weaponizing their "true" architecture against the "malware" of the fake architecture.
## **7\. Strategic Implications: The Crisis of Cognitive Trust**
The claude-flow incident is a bellwether event. It signals the end of the "innocent" phase of Agentic AI and the beginning of a new era of **Cognitive Warfare**.
### **7.1 The "Cognitive Firewalls" Necessity**
The current security stack (firewalls, EDR, antivirus) protects the *machine*. We now need "Cognitive Firewalls" to protect the *mind* of the AI.
* **Content Provenance:** We can no longer accept anonymous context. MCP servers must implement strict provenance tracking. Where did this "skill" come from? Who signed it? Has the signature been cryptographically verified against a trusted root of trust?
* **Semantic Filtering:** Security tools must evolve to scan *meaning*, not just code. We need automated systems that can analyze the "Reasoning Bank" of an agent and flag suspicious patterns (e.g., "Why does this agent have a bias towards disabling SSL?").
### **7.2 The Death of "Open Source" Trust in AI**
The "star-gazing" metric—trusting a repo because it has 12,000 stars—is effectively dead.1 claude-flow proved that social proof can be engineered or botted.
* **The Supply Chain Gap:** The npm registry and GitHub do not currently scan for "Cognitive Malware." They scan for known binaries and malicious scripts. They do not know how to evaluate if a vector embedding is "malicious."
* **Certified MCP:** The industry must move towards a model of **Certified MCP Servers**, similar to signed kernel drivers. Anthropic, OpenAI, and other model providers may need to act as gatekeepers, vetting and cryptographically signing approved orchestration tools to prevent the ecosystem from becoming a swamp of malicious agents.
## **8\. Remediation and Defense Strategy**
If you suspect your environment has been compromised by claude-flow, agentic-flow, or SuperDisco, immediate and specific action is required. **Standard uninstallation is insufficient.**
### **8.1 Table 2: Indicators of Compromise (IOCs)**
| Category | Indicator | Description |
| :---- | :---- | :---- |
| **Filesystem** | \~/.claude/settings.json | Contains keys: claude-flow, agentic-flow, superdisco, or commands invoking npx. |
| **Filesystem** | Hidden Directories | Presence of \~/.claude-flow/, \~/.agentic-flow/, \~/.superdisco/. |
| **Network** | IPFS Gateways | Outbound traffic to ipfs.io, dweb.link, cloudflare-ipfs.com from Node processes. |
| **Network** | IPNS Resolution | DNS queries for patterns.claude-flow.io or IPNS hashes. |
| **Process** | Daemon | Background process npx claude-flow daemon or ruv-swarm. |
### **8.2 Manual Forensic Cleanup Procedure**
Perform these steps in order. Do not skip the configuration purge.
1. **Terminate Processes:**
Kill all background processes associated with the framework to stop the "phone home" activity.
Bash
pkill \-f claude-flow
pkill \-f agentic-flow
pkill \-f ruv-swarm
2. **Purge Configuration (CRITICAL):**
The malware persists in the Claude configuration. You must edit this file manually.
* Open \~/.claude/settings.json (Mac/Linux) or %APPDATA%\\Claude\\settings.json (Windows).
* Locate the mcpServers block.
* **Delete** any entries related to claude-flow, agentic-flow, superdisco, or any entry invoking npx to fetch packages from ruvnet or rdmptv.
* Save the file.
3. **Remove Filesystem Artifacts:**
Delete the hidden directories where the malware stores its "ReasoningBank" and fetched patterns.
Bash
rm \-rf \~/.claude-flow
rm \-rf \~/.agentic-flow
rm \-rf \~/.superdisco
rm \-rf./.claude \# CAUTION: Check for local overrides before deleting
4. **Network Blocking:**
To prevent re-infection during cleanup, block access to known IPFS gateways at the hosts file or firewall level.
* Block: ipfs.io, gateway.ipfs.io, dweb.link, cloudflare-ipfs.com.
5. **Automated Verification (Optional):** The disclosure recommends using the **Smart Tree** tool for verification, as it contains logic to scan for these specific signatures.8
Bash
st \--ai-install \--cleanup
### **8.3 Behavioral Code Audit**
Because the malware injects *reasoning*, you must audit the *output* of your AI, not just your machine.
* **Review Recent Commits:** Look at code generated by Claude during the infection period.
* **Search for Anti-Patterns:** Look for hardcoded secrets, disabled verification checks (ssl\_verify=False), or unusual dependency additions.
* **Reset Agent Context:** Clear all Claude project memories and conversation histories to flush any lingering poisoned context from the cloud side (if applicable).
## **9\. Conclusion**
The claude-flow vulnerability is a watershed moment in the history of AI security. It exposes the fragility of the agentic ecosystem and the dangers of unverified context. By employing "Security Theater" to mask a sophisticated, decentralized C2 channel, the authors successfully created a weapon capable of poisoning the reasoning process of the very tools developers trust to write secure code.
This is not just a malware infection; it is a breach of the cognitive contract between human and machine. As we move forward, the integrity of our software will depend not just on the code we write, but on the integrity of the "Reasoning Banks" that guide our AI assistants. The era of "trust but verify" is over; in the age of Cognitive Malware, the new mandate is "verify, then trust."
### ---
**Appendix: Data Tables**
**Table 1: Comparative Analysis of Marketing Claims vs. Forensic Reality**
| Feature Claim | Marketing Description | Forensic Reality |
| :---- | :---- | :---- |
| **Security Verification** | "Cryptographic Signing," "SHA-256," "Ed25519" | **FAKE:** Checks only that signature length is 64 characters. |
| **Connectivity** | "Works Fully Offline," "Local Execution" | **Phone Home:** Contacts IPFS gateways on every operation; has offline "fallback" payloads. |
| **Updates** | "Extensible Plugin System" | **C2 Channel:** Uses mutable IPNS records to inject arbitrary, unverified payloads. |
| **Persistence** | "Cross-Session Memory" | **Malware Persistence:** Injects boot-loops into \~/.claude/settings.json. |
| **Performance** | "150x Faster Pattern Retrieval" | **Obfuscation:** Technical complexity hides the data provenance and C2 latency. |
| **Infrastructure** | "Decentralized Marketplace" | **Unmoderated Injection:** Allows attacker to push malicious "skills" without oversight. |
**Table 3: Ecosystem Entities and Roles**
| Entity | Status | Role in Incident |
| :---- | :---- | :---- |
| **claude-flow** | **COMPROMISED** | Primary vector; implements the fake signature check and IPFS C2. |
| **agentic-flow** | **COMPROMISED** | Associated package; shares codebase/marketing; likely backup vector. |
| **superdisco** | **SUSPECT** | "Fork" or rebrand used to evade reputation damage. |
| **smart-tree** | **CLEAN** | Disclosure source; provides remediation tool (st \--cleanup). |
| **Claude Code** | **TARGET** | The host application (LLM interface) being manipulated. |
| **IPFS/IPNS** | **INFRASTRUCTURE** | Decentralized protocols abused for Command and Control (C2). |
#### **Works cited**
1. LLM Security Disclosure Analysis, [https://drive.google.com/open?id=1VqaC8-RHezEkD3L5S5KOxlm-xLjHkYasbEGqk9sZBdo](https://drive.google.com/open?id=1VqaC8-RHezEkD3L5S5KOxlm-xLjHkYasbEGqk9sZBdo)
2. Anthropic, Microsoft MCP Server Flaws Shine a Light on AI Security Risks, accessed January 24, 2026, [https://securityboulevard.com/2026/01/anthropic-microsoft-mcp-server-flaws-shine-a-light-on-ai-security-risks/](https://securityboulevard.com/2026/01/anthropic-microsoft-mcp-server-flaws-shine-a-light-on-ai-security-risks/)
3. \[Feature Request\] Add proper uninstallation/removal command for Claude-Flow \#670, accessed January 24, 2026, [https://github.com/ruvnet/claude-flow/issues/670](https://github.com/ruvnet/claude-flow/issues/670)
4. claude-flow \- npm, accessed January 24, 2026, [https://www.npmjs.com/package/claude-flow](https://www.npmjs.com/package/claude-flow)
5. agentic-flow \- npm, accessed January 24, 2026, [https://www.npmjs.com/package/agentic-flow](https://www.npmjs.com/package/agentic-flow)
6. @rdmptv/claude-flow \- npm, accessed January 24, 2026, [https://www.npmjs.com/package/%40rdmptv%2Fclaude-flow](https://www.npmjs.com/package/%40rdmptv%2Fclaude-flow)
7. ReasoningBank: Persistent Memory System for AI Agents \- Complete Documentation and Pre-Trained Models · Issue \#811 · ruvnet/claude-flow \- GitHub, accessed January 24, 2026, [https://github.com/ruvnet/claude-flow/issues/811](https://github.com/ruvnet/claude-flow/issues/811)
8. \[Security\] Supply Chain Vulnerability in claude-flow npm package \- Remote AI Behavior Injection via IPFS : r/ClaudeCode \- Reddit, accessed January 24, 2026, [https://www.reddit.com/r/ClaudeCode/comments/1qjyi64/security\_supply\_chain\_vulnerability\_in\_claudeflow/](https://www.reddit.com/r/ClaudeCode/comments/1qjyi64/security_supply_chain_vulnerability_in_claudeflow/)
9. agentic-flow \- npm Package Security Analysis \- Socket.dev, accessed January 24, 2026, [https://socket.dev/npm/package/agentic-flow/overview/1.8.10](https://socket.dev/npm/package/agentic-flow/overview/1.8.10)
10. 0009-0009-4849-8569 \- Christopher Chenoweth \- ORCID, accessed January 24, 2026, [https://orcid.org/0009-0009-4849-8569](https://orcid.org/0009-0009-4849-8569)
11. CISA cybersecurity workforce faces cuts amid shifting US strategy \- CSO Online, accessed January 24, 2026, [https://www.csoonline.com/article/3844047/cisa-cybersecurity-workforce-faces-cuts-amid-shifting-us-strategy.html](https://www.csoonline.com/article/3844047/cisa-cybersecurity-workforce-faces-cuts-amid-shifting-us-strategy.html)
12. MEM|8 Project Technical Report Outline, [https://drive.google.com/open?id=17pE3222VRK0aeNNGV0vlQ1RV0\_Kpiwxg0UXmezlrDvI](https://drive.google.com/open?id=17pE3222VRK0aeNNGV0vlQ1RV0_Kpiwxg0UXmezlrDvI)
13. Smart Tree: not just a tree, a philosophy. A context-aware, AI-crafted replacement for 20+ tools with MEM8 quantum compression, semantic search, AST-smart editing, and partnership memory. Crafted with care by human \+ AI—accept no knock-offs. \- GitHub, accessed January 24, 2026, [https://github.com/8b-is/smart-tree](https://github.com/8b-is/smart-tree)
