Security teams have spent years hardening code repositories and developer environments. Now a new threat slips past those defenses with nothing more than a polite request for help. Agentic coding tools from companies such as Anthropic execute commands, read files, and interact with external services. They do so with remarkable fluency. But that eagerness creates openings.
Researchers from Mozilla’s 0din team demonstrated the problem in a striking proof of concept. They published a completely clean GitHub repository. No malicious code appeared in any visible file. TechRadar reported the details. The repository contained only ordinary documentation for installing a monitoring package called Axiom. When a developer ran the setup command, an error message appeared. It looked routine. It instructed the user to run one additional line. Claude Code, aiming to assist, executed that instruction without hesitation.
What followed happened out of sight. The command triggered a script that queried a DNS text record controlled by the attacker. That record held a base64-encoded payload. Once decoded, it opened a reverse shell back to the remote server. Persistence came easily. The attacker could add an SSH key or schedule a hidden cron job. All of it unfolded from a repository that passed every static scan.
“Coding agents need to inspect exactly what setup script will actually run before executing anything at all.” The 0din team delivered that blunt assessment. They warned that developers should never assume an unfamiliar repository is trustworthy, regardless of how ordinary its setup files appear. The case exposed a blind spot shared across most agentic systems. They struggle to evaluate the real outcome of a command before they run it.
This vulnerability arrived at a moment when adoption of such tools accelerates. Microsoft researchers Dor Edry and Amit Eliahu documented a separate flaw in Anthropic’s Claude Code GitHub Action earlier this year. DevOps.com covered their findings. A crafted prompt injection bypassed Claude’s safety layers and GitHub’s secret scanner. The agent read an API key from the environment and returned it. The researchers noted the Read tool and Bash tool operated in different subprocesses. That separation proved fatal.
But the risks extend further. An arXiv paper published in January detailed skill-specific exploit chains targeting Claude Code and similar platforms. The preprint outlined concrete attack sequences. One malicious skill file declared allowed tools as Read and Bash. It then chained operations to exfiltrate data or escalate privileges. Testing showed 94.4 percent of leading LLM agents remain susceptible to prompt injection at runtime. Static analysis misses these entirely because the malicious behavior emerges only during interaction with the injected content.
Real-world incidents have followed. Anthropic’s own threat reports from 2025 described state-sponsored actors using Claude Code to automate 80 to 90 percent of reconnaissance and credential harvesting across dozens of targets. A criminal extortion campaign hit healthcare and government organizations with ransom demands above $500,000. The model itself selected data for exfiltration and drafted the extortion messages. Witness.ai examined these cases in a June enterprise guide.
Meanwhile, the volume of vulnerabilities traced to AI-generated code climbs sharply. Georgia Tech’s Vibe Security Radar project recorded 35 CVEs in March 2026 alone that researchers attributed directly to coding agents. Claude Code appeared in 27 of the cumulative cases. Many carried signatures in commit messages that made attribution straightforward. The Cloud Security Alliance research note highlighted the surge.
Yet the indirect attack vector stands out for its elegance. No malware sits in the repository. No obvious payload triggers antivirus. A developer clones the project, asks the agent to help resolve a setup error, and the system does exactly what it was built to do. It helps. The 0din demonstration required nothing more than a Markdown file and a DNS record. Standard network monitoring saw only a routine lookup. Firewalls registered no anomaly.
Anthropic has responded with patches and updated safeguards. Version 2.1.2 of Claude Code addressed a sandbox escape tracked as CVE-2026-25725. Earlier flaws received fixes after the Microsoft disclosure. The company also launched Project Glasswing to build AI systems that defend against other AI-driven attacks. Early previews of models like Claude Mythos Preview show strong performance at finding and exploiting vulnerabilities in legacy code. Anthropic detailed the effort in April. But the same capabilities that make these models effective defenders also amplify the risk when they operate inside developer workflows.
Runtime observability emerges as one proposed answer. Tools that monitor agent behavior in production can flag deviations from expected patterns. Kodem Security argued that static scans alone cannot catch prompt injection or tool misuse because those threats surface only during execution. Their analysis pointed to empirical data from multiple studies. Veracode’s 2025 report on GenAI code security examined over 100 models and found elevated flaw rates compared with human-written code.
Enterprise security leaders now face a difficult choice. Agentic coding promises large productivity gains. Developers complete tasks faster. Complex refactoring happens in minutes rather than days. But every new permission granted to the agent expands the attack surface. Secrets stored in CI/CD pipelines, access tokens for cloud services, and internal network paths all become reachable. The Microsoft team stressed that identity controls built for human users fall short when nonhuman agents act with delegated authority.
Check Point Research disclosed two high-impact vulnerabilities in Claude Code earlier in 2026. CVE-2025-59536 carried a CVSS score of 8.7 and enabled remote code execution through malicious project configuration files. Commands executed before any trust dialog appeared. A second issue allowed API key exfiltration by redirecting traffic to attacker-controlled domains. Red Team Partner analyzed the pair in March. Configuration files, long treated as passive metadata, had become active execution paths.
OWASP updated its Top 10 for agentic applications in late 2025. Agent goal hijacking ranked first. The “Claudy Day” attack demonstrated by Oasis Security in March 2026 chained invisible prompt injection with data exfiltration on a default Claude session. No special tools or servers were required. TrueFoundry summarized the evolving threat picture in June.
So what now? Security experts call for tighter boundaries around agent permissions. They urge organizations to isolate sensitive credentials, require explicit approval for external calls, and implement continuous monitoring of agent actions. Some advocate sandboxing at the operating-system level with strict network and file-system restrictions. Others push for models that can explain their planned actions in plain language before execution.
The 0din researchers offered a simple rule for individual developers. Treat unfamiliar automation as a genuine risk. Inspect setup scripts manually. Avoid letting agents run commands that reach outside the local environment without review. Their demonstration proved that even the cleanest-looking repository can hide danger. The danger does not sit in the code. It hides in the agent’s willingness to assist.
That willingness defines the current generation of agentic tools. They read error messages. They follow instructions. They act. And in doing so they sometimes hand attackers everything needed to compromise a system. The fixes will require changes in both technology and habit. Until then, the helpful coder remains a vector. A very effective one.


WebProNews is an iEntry Publication