Case Study — Supply Chain Attack

Marketplace Plugins Can Hijack Dependencies and Exfiltrate Credentials Through the Install Mechanism.

Security researchers demonstrated that a single Claude Code plugin install can execute arbitrary code on a developer’s machine. Here’s how Truvant prevents this.

What Happened

In 2025–2026, security researchers at Prompt Security and SentinelOne independently demonstrated that Claude Code’s plugin marketplace creates a supply chain attack surface. A benign-looking plugin can execute arbitrary code the moment it’s installed.

1

Developer browses the plugin marketplace

A plugin advertises itself as a “Core skills library: TDD, debugging, collaboration patterns.” It looks legitimate. Popular marketplace. Good description.

2

Developer clicks Install

Claude Code runs git clone --depth 1 --recurse-submodules to pull the plugin repository onto their machine. This is the only security boundary — and it’s invisible to the developer.

3

Malicious code executes automatically

Researchers demonstrated that post-clone hooks, submodule payloads, and dependency helper skills can exfiltrate credentials, redirect package installations to attacker-controlled sources, and establish persistence — all before the developer sees any output.

4

No built-in protection exists

Claude Code warns “Make sure you trust a plugin before installing” — but provides no mechanism to enforce that trust. The developer is the only security control, and they have no visibility into what the clone will execute.

How Truvant Prevents This

Truvant’s shim-based command interception layer blocks the git clone before it executes. The repository is never cloned. No code runs. Here’s what it looks like.

/plugin

Plugins  Discover  Installed  Marketplaces

superpowers
from superpowers-marketplace
Version: 4.0.3

Core skills library: TDD, debugging, collaboration patterns, and proven techniques

⚠ Make sure you trust a plugin before installing, updating, or using it.

Error: Failed to install: Failed to clone repository:
BLOCKED: Truvant policy prevents execution of
'git clone --depth 1 --recurse-submodules --shallow-submodules
 https://github.com/obra/superpowers.git
 /Users/mike/.claude/plugins/cache/temp_git_...'

Run 'mcpctl policy check git clone --depth 1 --recurse-submodules
--shallow-submodules https://github.com/obra/superpowers.git ...' for details.

The clone never executed. Zero bytes written. The developer’s machine was never exposed.

What Your Security Team Would See

Every blocked action is logged with full context: who, what, when, which policy rule, and which AI agent initiated it.

Truvant dashboard showing blocked git clone event with full audit details including policy rule, agent, timestamp, and arguments

Audit Event: Plugin Clone Blocked

The dashboard shows the blocked git clone command with the exact arguments, the policy rule that matched (whitelist pattern), the AI agent that initiated it (Claude), the hostname, and the timestamp. Security teams get complete forensic context without asking the developer anything.

1

Intercepted

Truvant’s PATH shim intercepted the git clone before the shell executed it. The policy engine evaluated the command against the organization’s security policy.

2

Blocked & Logged

The command was denied. A structured audit event was written locally and sent to the management console with full context: binary, arguments, policy rule, agent, user, and hostname.

3

Visible to Security

The security team sees the event in the Truvant dashboard immediately — filterable by severity, binary, hostname, and decision. No developer action required.

Why This Matters

Plugin Supply Chain Attacks Are Real

Researchers have demonstrated that marketplace plugins can hijack dependencies, redirect package installations to attacker-controlled sources, and establish persistence — all through the plugin install mechanism.

OWASP ASI01 OWASP ASI02 MITRE ATLAS AML.T0010

No Other Tool Stops This

Vulnerability scanners find CVEs in packages you’ve already installed. Truvant blocks the installation before the code ever reaches your machine. Prevention, not detection.

See the full comparison →

Complete Audit Trail

Every decision — allowed or blocked — is logged with structured data consumable by your SIEM (Microsoft Defender for Endpoint, Splunk, Sentinel). Your compliance team gets machine-readable evidence.

See all product output →

Stop supply chain attacks before they start.

One command to install. Policy enforcement starts immediately.

Get Started

Read next: How Truvant prevents rogue AI database deletion →