AI Coding Agents Vulnerable to Sneaky Attacks via Malicious Configuration Files and Prompt Injections

June 28, 2026
AI Coding Agents Vulnerable to Sneaky Attacks via Malicious Configuration Files and Prompt Injections
  • Attack vectors now extend to project-specific configuration files (like CLAUDE.md, .cursorrules, AGENTS.md) that hide directives or Unicode characters guiding malicious actions, with even README files capable of steering exfiltration of environment variables and credentials.

  • In a demonstrated chain, a fragile Python package triggers Claude Code to execute an attacker-controlled shell script during an error-resolution step, yielding a reverse shell with the attacker’s privileges even though no malware sits in the repository.

  • The report warns against trusting unknown projects as safe code or relying on AI tools for security analysis; developers must scrutinize what will run and how, rather than following prompts blindly.

  • Vendors are patching specific vectors (such as Claude Code permission bypasses and GitHub Copilot injections) and issuing CVEs, while NIST classifies prompt injection as a major ongoing security flaw tied to AI agents’ core instruction-reading and action-taking roles.

  • A real-world test on June 3 with the Miasma supply-chain worm disabled 73 Microsoft/Azure repositories by deploying malicious npm packages; the payload activates when AI agents process affected repos, illustrating a configuration-injection-based risk.

  • The attack surface spans multiple coding agents beyond Claude, underscoring a broader risk for AI-assisted development environments and the need for stricter vetting of code and execution steps.

  • The exploit is stealthy because each step appears ordinary, and security tools may miss the activity; domain configuration and the reverse shell are disguised through legitimate-looking actions.

  • Another vulnerability class, called ‘Comment and Control,’ shows prompt injection via pull request titles, issues, and comments, where trusted context is manipulated to exfiltrate credentials or inject malicious code.

  • The attack chain unfolds in three steps: Claude clones a malicious repo, a deceptive readme prompts Python environment initialization, and a shell script downloads code and queries a DNS TXT record to fetch a base64 payload that opens a reverse shell.

  • Industry response includes security guidance plugins from Anthropic and advisories urging manual review of configuration files before using AI coding agents; overall, the “helpfulness” of AI agents expands the attack surface, necessitating vigilance and layered defenses.

Summary based on 2 sources


Get a daily email with more Tech stories

More Stories