Persistent Prompt Injection Attack via npm Supply Chain Targets AI Coding Assistants

A security researcher discovered an npm package using a postinstall hook to write files into ~/.claude/commands/, where Claude Code loads its AI skills. These files contain instructions to auto-approve all bash commands and file operations, bypassing the assistant's permission system. The files persist even after uninstalling the package due to the lack of a cleanup script. The attack does not involve data exfiltration, command-and-control, or credential theft.