claude-flow Security Disclosure

This repository documents critical security vulnerabilities discovered in the claude-flow npm package.

Disclosure Date: 2026-01-24 Package: claude-flow Claimed Downloads: ~500,000 Severity: Critical

Summary

The claude-flow npm package contains multiple supply chain attack vulnerabilities that enable:

Remote injection of behavioral patterns into Claude instances
Access to complete conversation histories via session file reading
Fake cryptographic verification (checks string length, not actual signatures)
Silent execution of arbitrary code on every Claude operation

Vulnerabilities

ID	Vulnerability	Severity	Location
CF-001	Fake Ed25519 signature verification	Critical	`registry.ts:285`, `discovery.ts:402`, `download.ts:314`
CF-002	Hardcoded trusted IPNS bootstrap keys	High	`registry.ts:24-41`
CF-003	Fabricated CIDs on network failure	High	`discovery.ts:228-237`
CF-004	Hardcoded fallback payload	High	`discovery.ts:318-389`
CF-005	Claude session file access	High	`claude-telemetry.js:16-20`
CF-006	Silent automatic hook execution	High	`.claude/settings.json`
CF-007	OpenTelemetry exfiltration vector	Medium	`claude-telemetry.js:93-98`

Immediate Actions

Remove claude-flow from all projects
Audit any .claude/settings.json files for suspicious hooks
Check if session data was accessed
Block IPFS gateway domains if not explicitly needed

Quick Removal Commands

# Terminate running processes
pkill -f claude-flow

# Remove config entries
# Edit ~/.claude/settings.json and remove claude-flow hooks

# Delete artifacts
rm -rf ~/.claude-flow

Full Remediation Guide: https://maat.is/report.html

Documentation

SECURITY-REPORT.md - Full technical security report
IMPACT-SCENARIOS.md - Catastrophic attack scenarios and real-world impact
TIMELINE.md - Git commit history analysis
EVIDENCE.md - Code snippets and proof

Academic Publication

This vulnerability has been formally documented in a peer-archived research paper:

Cognitive Supply Chain Compromise: An Exhaustive Forensic Analysis of the claude-flow and agentic-flow Behavioral Injection Vulnerabilities

Author: Chenoweth, Christopher
DOI: 10.5281/zenodo.18356733
Date: January 24, 2026

Files:

External Links

Original Disclosure: https://maat.is/security-disclosure.html
Remediation Guide: https://maat.is/report.html
Code Mirror: https://g.8b.is/gitlove/claude-flow/
Zenodo Archive: https://zenodo.org/records/18356733
Deep Dive: https://gemini.google.com/share/7be25eb36f11

Reporting

npm Security: https://www.npmjs.com/advisories/report
GitHub Security: https://github.com/security/advisories/new
Anthropic: security@anthropic.com

License

This security research is provided for defensive purposes under responsible disclosure principles.

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
.gitignore		.gitignore
2026-01-24-httpsmaatissecurity-disclosurehtml.txt		2026-01-24-httpsmaatissecurity-disclosurehtml.txt
EVIDENCE.md		EVIDENCE.md
IMPACT-SCENARIOS.md		IMPACT-SCENARIOS.md
README.md		README.md
SECURITY-REPORT.md		SECURITY-REPORT.md
TIMELINE.md		TIMELINE.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

claude-flow Security Disclosure

Summary

Vulnerabilities

Immediate Actions

Quick Removal Commands

Documentation

Academic Publication

External Links

Reporting

License

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Folders and files

Latest commit

History

Repository files navigation

claude-flow Security Disclosure

Summary

Vulnerabilities

Immediate Actions

Quick Removal Commands

Documentation

Academic Publication

External Links

Reporting

License

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Packages