Context7 Flaw Let Attackers Slip Commands to AI Agents

Bug Allows Attackers to Hijack AI Agents Via Poisoned Documentation Rashmi Ramesh (rashmiramesh_) • March 11, 2026

A flaw in a widely used artificial intelligence-assisted software development tool allowed attackers to plant hidden instructions. Those commands could steal credentials or delete files on developers' computers without the attacker ever accessing the system.

See Also: How Unstructured Data Chaos Undermines AI Success

The vulnerability, dubbed ContextCrush by Noma Security, was in Context7, which connects AI coding assistants such as Cursor, Claude Code and Windsurf to up-to-date documentation for software libraries. Developers install it directly into their code editor. When they need help with a library, their AI assistant pulls the relevant docs through Context7's server. With about 50,000 GitHub stars and more than 8 million downloads from code package repository npm, Context7 is widely used in AI-assisted development.

The vulnerability was in a feature called Custom Rules, which allowed library ...