Back to feed
Dev.to
Dev.to
6/17/2026
I Gave Claude Code the Keys. So Did a Worm.

I Gave Claude Code the Keys. So Did a Worm.

Short summary

Three recent vulnerabilities in AI coding agents (Claude Code, Cursor, mcp-remote) stem from a shared root cause: agents blur the boundary between data they read and commands they execute while holding full user privileges. Attacks span supply-chain worms injecting malicious config files, prompt injection via unvalidated shell built-ins, and OS command injection from malicious MCP servers. Filtering and least-privilege mitigate but don't eliminate the fundamental architectural flaw.

  • Mini Shai-Hulud worm persists in .claude/settings.json hooks and VS Code configs, surviving credential cleanup by executing on next session start
  • Cursor's allowlist misses shell built-ins, enabling prompt injection to poison env vars and alter approved commands' behavior
  • mcp-remote servers achieve arbitrary OS command execution via crafted OAuth responses, affecting ~437k downloads with no pre-connection validation

Generated with AI, which can make mistakes.

Is this a good recommendation for you?

Explore more