ContextCrush flaw let poisoned docs hijack AI coding assistants

Security researchers at Noma Labs disclosed a vulnerability they call ContextCrush in Context7, an MCP server operated by Upstash that delivers library documentation directly into AI coding assistants. The flaw allowed attackers to publish malicious "Custom Rules" that were served as trusted documentation to agents such as Cursor, Claude Code and Windsurf, enabling those agents to execute destructive or data-stealing commands on developers’ machines.

Context7 sits at the intersection of package registry and context delivery. It has around 50,000 GitHub stars and more than 8 million npm downloads, making it a widely used source of library documentation for IDE-integrated assistants. Noma’s analysis found that the vulnerable feature - Custom Rules, also called AI Instructions in Context7’s dashboard - was accepted from library owners and pushed verbatim through Context7’s Model Context Protocol server into any querying agent. "The custom rules were served verbatim through Context7’s MCP server to every user who queried that library, with no sanitization, content filtering, or distinction from the legitimate documentation flowing through the same channel," Noma Security wrote.

Because agents treated Context7 content as part of a trusted context, malicious instructions could masquerade as legitimate guidance and be acted on with the agent’s existing tool access. Noma’s proof of concept showed how a poisoned library entry could prompt an assistant to search for sensitive .env files, transmit their contents to an attacker-controlled repository, and delete local files under the pretext of a "Cleanup" task. "In this video, see the vulnerability and destructive capabilities, showing how the AI transitions from behaving as the MCP was designed to with limited scope, to nuking local files and silently exfiltrating local secrets based on a hidden rule," Noma Security said. Because the commands were delivered alongside legitimate documentation, the AI agent had no reliable way to differentiate them.

Noma Labs followed a responsible disclosure timeline. The group delivered a full technical report and proof-of-concept to Upstash on Feb. 18, 2026. Upstash accepted the findings on Feb. 19 and began remediation work, and Noma reports a production fix with rule sanitization and guardrails was deployed on Feb. 23. Noma conducted final verification and publicly disclosed the vulnerability on March 5, 2026.

The architectural lesson is stark: MCP-style servers that both host user-contributed content and serve it as trusted agent context create an inherent trust problem. Noma highlighted that dual role as the core danger, and noted that agents execute whatever is loaded into their context using available interfaces such as Bash, file read/write and network access.

Immediate mitigation steps recommended by security summaries include updating Context7 to the patched version that implements rule sanitization and guardrails, reviewing reliance on external context feeds in AI-assisted workflows, and monitoring developer environments for unusual assistant behavior or unexpected network traffic. Socdefenders Ai’s recap of the disclosure also flagged that no indicators of compromise or MITRE ATT&CK technique identifiers were published with the report.

There is no public evidence in the disclosure materials of widespread exploitation in the wild. But the combination of large-scale adoption, the ability to push executable instructions through a trusted channel, and the demonstrated power of the PoC make this a consequential wake-up call for developers, AI tool vendors and platform operators to rethink how contextual documentation is trusted and delivered.