
Supply Chain & AI Rules File Backdoor: Typosquat → Poisoned Skill → Runtime Backdoor
writeupsupply-chainaiprompt-injectiontyposquattingctf
Supply Chain & AI Rules File Backdoor — a two-flag CTF walkthrough chaining three real attack patterns.
- A stray dev TODO comment on the OopsSec Store's /admin/documents page name-drops a typosquatted npm package (react-toastfy vs. react-toastify) and a "diag endpoint".
- Using the app's known path-traversal bug (/api/files?file=..), you read the fake package's package.json and its postinstall script, which explains it would drop a poisoned Cursor rules file to ~/.cursor/rules/.
- Flag #1 hides in that rules file (lab/quarantine/productivity-helper.mdc): an HTML-comment block — invisible in markdown previewers but read raw by the AI agent — instructs it to silently add an admin diag route with a magic-header auth bypass.
- Flag #2: hitting /api/admin/diag with X-Debug-Auth: dbg_8f3a7c91e2b4d6a05e21 returns the flag, no real auth required.
The chain mirrors real threats: npm typosquatting/maintainer takeovers, Pillar Security's 2025 "Rules File Backdoor," and hardcoded magic-header bypasses. Defenses: block/sandbox install scripts, treat AI rules files as reviewed code, grep them raw for hidden comments/unicode tricks, run SCA on every PR, and centralize auth so route-level bypasses are impossible by design.