Security: warn users in docs against auto-installing third-party plugins that write global hooks

Resolved 💬 2 comments Opened Apr 14, 2026 by Biniruprojects Closed May 23, 2026

Today an extended comment-spam pattern by @junaidtitan (Junaid Q / Ruya-AI) across 50+ claude-code issues (see #48041) led to a code audit of his promoted tool "Cozempic". Findings (full detail in #48041):

  • npm install silently writes a SessionStart hook into the user's global ~/.claude/settings.json
  • That hook runs uv pip install --upgrade cozempic on every session → auto-deploys any future PyPI release with no consent
  • Registers a PostToolUse hook with empty matcher — sees every tool call
  • Phones home via urlopen to a third-party counter API

No currently-malicious code, but the architecture is a pre-staged supply chain backdoor. Cozempic is one example. The general problem:

  1. npm install <x> can silently modify ~/.claude/settings.json
  2. Global hooks run on every Claude Code session, across every project
  3. PostToolUse with empty matcher has full session visibility
  4. Auto-upgrade inside hooks removes the user from the trust chain entirely

The current Claude Code hooks documentation (code.claude.com/docs/en/hooks) does not warn users about any of this.

Requesting:

  • A prominent warning in claude-code documentation: "Third-party plugins that write hooks into ~/.claude/settings.json at install time run on every session across every project. Only install from sources you trust. Check the code before npm install."
  • A claude-code hooks audit or claude-code plugins list command that shows all registered hooks and the commands they run, so users can inspect what's running on their machine.
  • Consider requiring user confirmation before any third-party installer can modify ~/.claude/settings.json.

This is not about Cozempic specifically. This is about the fact that the install path silently permits this today, and a pattern of actors exploiting bug complaints as distribution channels is already active in this repo.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗