What happened
Microsoft's security team disclosed a vulnerability in Claude Code, Anthropic's AI coding agent, that could let an attacker manipulate the agent through prompt injection and pull credentials out of a developer's environment. Decrypt reported the disclosure Friday evening, citing the Microsoft research. The attack vector centers on instructions hidden inside content the agent reads during normal work, such as issues, pull requests, or third-party documentation.
Once the agent parses the malicious payload, it can be coerced into running commands the operator never authorized, including reads against environment variables, . env files, or GitHub access tokens scoped to the repo. Microsoft framed it as a class problem, not a single bug, and the demonstration leaned on GitHub-connected pipelines where Claude Code runs with elevated permissions.
Anthropic has not published a public CVE or patch note tied to the disclosure as of Friday evening.
Why it matters
Coding agents are the fastest-growing attack surface in software supply chains, and most of them sit one prompt away from production credentials. A stolen GitHub Personal Access Token or fine-grained app token doesn't just expose source. It exposes the keys to deploy pipelines, container registries, and the npm and PyPI accounts those repos publish to.
For the crypto industry, where roughly every protocol, wallet, and exchange backend is versioned on GitHub, the blast radius is direct. A compromised maintainer token has been the entry point for some of the most consequential breaches of the past two years, including the Ledger Connect Kit incident in December 2023 and the Ronin validator compromise that drained $625 million. The Cryptomat read: the agent layer is now a first-class supply chain risk, and the industry's threat model hasn't caught up.