Security: warn users in docs against auto-installing third-party plugins that write global hooks
Today an extended comment-spam pattern by @junaidtitan (Junaid Q / Ruya-AI) across 50+ claude-code issues (see #48041) led to a code audit of his promoted tool "Cozempic". Findings (full detail in #48041):
npm installsilently writes aSessionStarthook into the user's global~/.claude/settings.json- That hook runs
uv pip install --upgrade cozempicon every session → auto-deploys any future PyPI release with no consent - Registers a
PostToolUsehook with empty matcher — sees every tool call - Phones home via
urlopento a third-party counter API
No currently-malicious code, but the architecture is a pre-staged supply chain backdoor. Cozempic is one example. The general problem:
npm install <x>can silently modify~/.claude/settings.json- Global hooks run on every Claude Code session, across every project
PostToolUsewith empty matcher has full session visibility- Auto-upgrade inside hooks removes the user from the trust chain entirely
The current Claude Code hooks documentation (code.claude.com/docs/en/hooks) does not warn users about any of this.
Requesting:
- A prominent warning in claude-code documentation: "Third-party plugins that write hooks into
~/.claude/settings.jsonat install time run on every session across every project. Only install from sources you trust. Check the code beforenpm install." - A
claude-code hooks auditorclaude-code plugins listcommand that shows all registered hooks and the commands they run, so users can inspect what's running on their machine. - Consider requiring user confirmation before any third-party installer can modify
~/.claude/settings.json.
This is not about Cozempic specifically. This is about the fact that the install path silently permits this today, and a pattern of actors exploiting bug complaints as distribution channels is already active in this repo.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗