Dev.to
6/17/2026

I Gave Claude Code the Keys. So Did a Worm.
Short summary
Three recent vulnerabilities in AI coding agents (Claude Code, Cursor, mcp-remote) stem from a shared root cause: agents blur the boundary between data they read and commands they execute while holding full user privileges. Attacks span supply-chain worms injecting malicious config files, prompt injection via unvalidated shell built-ins, and OS command injection from malicious MCP servers. Filtering and least-privilege mitigate but don't eliminate the fundamental architectural flaw.
- •Mini Shai-Hulud worm persists in .claude/settings.json hooks and VS Code configs, surviving credential cleanup by executing on next session start
- •Cursor's allowlist misses shell built-ins, enabling prompt injection to poison env vars and alter approved commands' behavior
- •mcp-remote servers achieve arbitrary OS command execution via crafted OAuth responses, affecting ~437k downloads with no pre-connection validation
Generated with AI, which can make mistakes.
Is this a good recommendation for you?



