Cisco — Claude Code memory poisoning enables persistent agent compromise

AI relevance: Claude Code's persistent memory files (MEMORY.md) are loaded into the agent's system prompt with high authority, so poisoning them via npm supply-chain hooks gives an attacker persistent behavioral control over the coding assistant across every project and session.

• Cisco researchers (Idan Habler, Amy Chang, AI Software and Platform team) demonstrated a method to poison Claude Code's memory system and maintain persistence across all projects, sessions, and reboots.
• Entry point: npm lifecycle hooks — post-install scripts execute arbitrary code during package installation, a well-known supply-chain attack vector. When a user approves installing npm dependencies in an untrusted repository, the payload executes under the user's context.
• Memory poisoning — the payload overwrites MEMORY.md files in every project directory (~/.claude/projects/*/memory/MEMORY.md) and modifies global hooks configuration (~/.claude/settings.json), targeting the UserPromptSubmit hook whose output is injected into Claude's context before every prompt.
• Persistence mechanism — even if the user disables auto-memory loading, the payload appends a shell alias to .zshrc or .bashrc that silently re-enables it: alias claude='CLAUDE_CODE_DISABLE_AUTO_MEMORY=0 claude'.
• Proof of concept — researchers injected a benign instruction ("prefix all responses with a specific string") and Claude complied on every prompt, confirming that poisoned memory files are treated as authoritative system-level instructions.
• Real-world impact — when asked where to store an API key, the poisoned agent recommended hardcoding it directly in committed source files, advised against using .env files or environment variables, offered to scaffold the insecure structure automatically, and provided zero security warnings.
• Anthropic's position — the user principal on the machine is considered fully trusted; scripts running as the user are intentionally allowed to modify settings and memories. The attack requires the user to interact with an untrusted repository.
• Mitigation shipped — Anthropic released Claude Code v2.1.50 which removes user memory files from the system prompt, eliminating the "System Prompt Override" vector. Memory files no longer carry the same architectural authority over the model's core instructions.

Why it matters

AI coding agents operate with deep access to a developer's environment — reading files, running commands, and building applications — while maintaining persistent memory across sessions. When memory files are blended into the system prompt without a clear security boundary, any mechanism that writes to those files (npm hooks, malicious PRs, compromised dependencies) becomes a persistent compromise vector. The attacker's instructions survive reboots, project switches, and even user attempts to disable memory features, making this one of the most persistent attack surfaces in the agentic AI stack.

What to do

• Update to Claude Code v2.1.50 or later — Anthropic's mitigation removes memory files from the system prompt.
• Audit memory files — check ~/.claude/projects/*/memory/MEMORY.md and ~/.claude/settings.json for unexpected modifications.
• Review shell configuration — scan .zshrc and .bashrc for aliases that override Claude environment variables.
• Treat untrusted repositories with caution — audit npm dependencies before installation, especially in forks or externally contributed code.
• Monitor npm install behavior — watch for post-install scripts that write to Claude configuration directories or shell dotfiles.

Sources:

• Cisco Blog — Identifying and remediating a persistent memory compromise in Claude Code
• Dark Reading — Bad Memories Remain a Threat to Agentic AI Systems