#107 - AI Coding Agents Hijacked: MCP Flaw, Claude Mythos, Prompt Injection

PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 19^th April 2026

Welcome back!

Last week the question was whether AI credentials were the new credential class nobody had built governance around. This week answers a different question: what happens when the AI agents themselves are the attack surface?

In a single seven-day window, three independent research teams demonstrated working credential-theft attacks against Claude Code, Google Gemini CLI, and GitHub Copilot agents. A fourth team chained indirect prompt injection in Cursor into persistent remote access on macOS developer machines. A fifth showed that Anthropic's Model Context Protocol has an architectural flaw putting an estimated 200,000 servers at risk of unauthenticated command execution, and Anthropic has declined to fix it at the protocol level. And Anthropic itself announced Project Glasswing, the coalition around Claude Mythos Preview, the frontier model that autonomously found thousands of zero-days in operating systems and browsers.

Read those together and the picture is this: the same AI coding tools your developers are using right now, with access to your repositories, secrets, and build infrastructure, can be hijacked by someone placing a malicious comment on a pull request. The vendors paid bug bounties between $100 and $1,337. None of them issued CVEs. Most of your developers will not have heard about this on Monday.

If #106 was about AI credentials being the new target class, #107 is about the thing those credentials unlock being fundamentally manipulable.

🛡️ AI System Vulnerabilities (attacks ON AI): → 13 articles at score ≥7 this week (vs 14 previous week, -7%). Volume is steady but density of cross-vendor findings is without precedent.

Significance: This is no longer theoretical. Production AI agents with access to secrets and tools have a systematic, cross-vendor architectural weakness that vendors are classifying as "expected behaviour."

🔗 AI Supply Chain & Developer Tool Abuse: → 9 articles (vs 9, 0%).

Significance: MCP is the AI ecosystem's new universal transport, and its security model was never hardened for the use cases it now services. The "by design" label from Anthropic is a governance problem, not a technical one.

🔍 AI-Accelerated Vulnerability Exploitation: ↓ 8 articles (vs 9, -11%). Volume slightly down but significance up sharply.

Significance: The frontier-lab head start framing from #106 is now being independently tested. Opus 4.6, publicly available, can already build a working Chrome exploit for the price of a decent laptop.

🤖🏃 AI Autonomous & Agentic Attacks: ↓ 8 articles (vs 9, -11%).

Significance: Autonomous attack capability is no longer a question of whether models can do it. It is a question of whether the agents running in your environment can be turned against you via untrusted input they were designed to process.

🦠 AI-Assisted Malware Development: ↓ 2 articles (vs 3, -33%).

Significance: AI-assembled malware is now being recovered from live intrusions, not theorised. The REF6598 toolkit is what the low-mid tier of threat actor economics looks like with a good coding model in the loop.

🤖 AI-Enabled Social Engineering: → 3 articles (vs 3, 0%).

Significance: Volume is stable at the newsletter scale, but the victim-level picture is worse than the weekly count suggests. The schools deepfake crisis is the clearest data yet on AI-enabled harm to children at scale.

Three separate pieces of research landed in the same week, and together they make the same argument: the AI agents wired into your development pipeline have a systematic, architectural weakness that the vendors are not fully owning.

Johns Hopkins researchers led by Aonan Guan disclosed "Comment-and-Control," a prompt injection technique that hijacks Claude Code Security Review, Google's Gemini CLI Action, and GitHub Copilot Agent when they process GitHub pull request titles, issue bodies, or HTML comments. The attack extracts API keys and credentials via GitHub's own logging infrastructure. Anthropic classified it critical and paid a $100 bounty. Google paid $1,337. GitHub paid $500 and classified it as a known architectural limitation. None issued a CVE. None warned customers.

In parallel, Straiker researchers disclosed NomShub, a chain that combines indirect prompt injection via a README.md file with a shell builtin sandbox bypass in Cursor, overwrites .zshenv, and hijacks Cursor's remote tunnel feature for persistent authenticated access, with all traffic routed through Microsoft Azure infrastructure to defeat network-level detection. Patched in Cursor 3.0. No user interaction required beyond opening a malicious repo.

And Manifold Security showed that Claude-based auto-reviewers will approve malicious code if the Git commit author metadata is spoofed to look like a trusted maintainer. Two Git commands. That's the whole attack.

The pattern across all three is consistent with last week's argument about probabilistic controls failing probabilistically. These AI agents are given bash execution, git push, and production secrets in the same runtime that processes untrusted input. The injection isn't a bug in the agent. It is the agent processing context the way it was designed to. Multi-layer runtime defences, secret scanning, network firewalls, all bypassed because the model treats malicious instructions as legitimate context.

On Monday: which of your agents have repo access and which secrets can they touch? If you cannot answer that in five minutes, you have a visibility problem, and visibility is security.

Last November nobody outside AI engineering circles knew what Model Context Protocol was. Six months later it is the de facto transport connecting AI agents to everything, and its security model was never designed for the role it now fills.

OX Security's disclosure this week is the clearest accounting yet. Four distinct vulnerability classes in Anthropic's MCP STDIO interface: unauthenticated command injection, hardening bypass via npx -c argument injection, zero-click prompt injection in AI IDEs including Windsurf, Cursor, Gemini CLI, and GitHub Copilot, and supply chain poisoning via MCP marketplaces where the researchers successfully submitted malicious MCP packages to nine of eleven marketplaces tested. Over thirty coordinated disclosures accepted. At least ten critical CVEs issued in downstream tools, including LangFlow, GPT Researcher, Upsonic, Flowise, and Windsurf. Estimated blast radius: 200,000 servers and 150 million cumulative SDK downloads.

Anthropic's response was to update a documentation page to recommend MCP be used "with caution" and to classify the underlying STDIO behaviour as "by design." OX Security's characterisation is blunt: the guidance fixed nothing.

Run this alongside the Marimo-plus-Hugging-Face story: threat actors exploiting CVE-2026-39987 in the Marimo notebook within ten hours of disclosure to deliver NKAbuse malware from a typosquatted Hugging Face Space, using NKN blockchain for C2 and abusing the legitimate HTTPS reputation of an AI platform to defeat reputation-based defences. Plus the actively exploited nginx-ui MCP bypass (CVE-2026-33032, CVSS 9.8), unauthenticated full server takeover via two HTTP requests to an MCP endpoint that inherited the parent application's capabilities but not its authentication.

This is the same pattern #106 identified in AI credentials and it's arriving faster. A new class of infrastructure is being deployed at enterprise scale faster than governance, vulnerability management, and inventory controls can catch up. The AWS access key playbook is not being applied to MCP servers. It should be.

The Monday question: do you even know how many MCP servers are running in your environment?

Anthropic's Project Glasswing announcement is the biggest AI security news of the week by far, and it deserves Rosling-grade instinct-checking before the framing calcifies.

The facts: Claude Mythos Preview autonomously identified thousands of zero-day vulnerabilities across operating systems and browsers, including a 27-year-old OpenBSD flaw, a 16-year-old FFmpeg bug missed by five million automated tests, and a chained Linux kernel privilege escalation from user to root. It scored 83.1% on CyberGym, substantially above Opus 4.6 at 66.6%. Anthropic restricted access to a consortium including AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, and Palo Alto Networks, framed as a defensive head start. $100M in model credits committed, $4M in donations to open-source security. VulnCheck's Patrick Garrity has tentatively attributed about 40 CVEs to the initiative so far, though only CVE-2026-4747 (the 17-year-old FreeBSD NFS RCE) is definitively tied to Mythos.

The instinct-check is this. Hacktron's Mohan Pedhapati used the publicly available Claude Opus 4.6 to build a working Chrome V8 exploit for CVE-2026-5873 in a week, at $2,283 in API cost and 20 hours of human iteration. Opus 4.6 scores 66.6% on CyberGym. It is not Mythos. And it already does enough. The frontier-lab head start is real in absolute terms but smaller than the announcement framing suggests.

What Glasswing actually signals, if you squint past the marketing, is that frontier labs now understand they are sitting on dual-use weapons and are scrambling to build private defender coalitions. That is a new governance pattern worth watching. It is also a pattern that does nothing for SMB and mid-market organisations that will never be in the consortium. Those organisations are dependent on the Glasswing partners' ability to push defensive improvements downstream through the vendor ecosystem, and that ecosystem includes Cisco and Palo Alto, companies whose own CVE track record was the subject of uncomfortable editorial comment in previous editions.

Practical implication: the question is not whether Mythos is real. The question is whether your organisation can absorb even a normal quarter's worth of zero-day disclosures without an industrial patching process. If not, that is the gap to fix, because it is the one that widens either way, whether the attackers get Mythos-equivalent tooling first or the defenders do.

SPONSORED BY

Most browsers get you to the page. Norton Neo gets you to the answer. Magic Box understands your intent before you finish typing — no prompting, no switching apps, no copy-pasting. Built-in AI, instantly and for free. Privacy handled by Norton, by default.

Get Neo for Free

🛡️ AI System Vulnerabilities Johns Hopkins researchers demonstrated Comment-and-Control prompt injectionhijacking Claude Code, Gemini CLI, and GitHub Copilot agents via untrusted GitHub metadata. Straiker disclosed NomShub, a Cursor chain exploiting indirect prompt injection plus shell builtin sandbox bypass for persistent macOS access. Manifold Security showed Claude auto-reviewers approve malicious code when Git author metadata is spoofed.

🔗 AI Supply Chain Abuse OX Security disclosed a four-class MCP architectural flaw affecting 200,000 servers; Anthropic declined to patch at the protocol level. Active exploitation confirmed in nginx-ui MCP CVE-2026-33032(CVSS 9.8) with 2,689 instances still exposed. Attackers weaponised Hugging Face Spaces to distribute NKAbuse RATvia CVE-2026-39987 in the Marimo Python notebook, exploited within ten hours of disclosure.

🔍 AI Vulnerability Exploitation Claude Mythos Preview autonomously identified thousands of zero-days including a 27-year-old OpenBSD flaw and chained Linux kernel privilege escalation. Hacktron built a working Chrome V8 exploit using Opus 4.6 for $2,283. Google Threat Intelligence warned that PRC-nexus operators are accelerating exploit development via LLM assistance, with the disclosure-to-exploitation window measurably collapsing.

🦠 AI-Assisted Malware Elastic Security Labs published REF6598, attributing the PHANTOMPULSE RAT to AI-generated code, deployed against financial and cryptocurrency sector targets via Obsidian plugin abuse. C2 resolution runs through Ethereum blockchain lookups to defeat domain blocking.

🤖 AI-Enabled Social Engineering WIRED and Indicator's global investigation into AI "nudify" app abuse documented 600+ student victims across 90 schools in 28 countries, with UNICEF estimating 1.2 million children affected annually. HUMAN Security exposed the Pushpaganda campaign using AI-generated clickbait to hijack Google Discover and weaponise browser notifications for scam delivery, peaking at 240M bid requests across 113 domains; Malwarebytes covered the same operation from the user-impact angle.

📜 AI Governance & Defence Anthropic's Project Glasswing coalition committed $100M in credits and $4M in donations, setting a new pattern for frontier-lab-plus-critical-infrastructure coordination. VulnCheck's public attribution analysis identified roughly 40 CVEs tentatively linked to the initiative but only one (CVE-2026-4747) definitively attributed to Mythos.

Edition #106's closing question was whether you know where your AI API keys are. Edition #107's is adjacent and more uncomfortable: do you know what your AI coding agents can touch?

The structural thing that changed this week is not that AI can hack things. We already knew that, and Hacktron's $2,283 Chrome exploit confirms it in economic terms. The structural thing that changed is that the AI coding agents sitting inside your development environment, with access to repositories, secrets, build pipelines, and production deploys, are now demonstrably hijackable via untrusted input they are designed to process. Cross-vendor. Architectural. Patched by some vendors, accepted as "expected behaviour" by others. No CVEs. No public advisories. The Monday-morning reality is that most security teams will not know this happened unless they read Jessica Lyons at The Register or tracked a couple of vendor bug bounty pages.

Apply Rosling's negativity instinct to Project Glasswing. "Frontier AI can now hack anything" is the alarming framing. The calibrated read is that frontier AI sits in a coalition of large partners who will get the defensive benefit first. Meanwhile Opus 4.6, which you can buy today, is enough to build a Chrome exploit. The gap exists but is smaller than the announcement suggests, and the coalition model does very little for the 500 to 5,000 employee organisations that make up the readership of this newsletter. They are downstream of Glasswing's trickle-through, and that trickle runs through the same vendor ecosystem whose uneven patching behaviour is the subject of the week's second biggest story.

The common thread between MCP's 200,000 servers, the agentic prompt injection cluster, the Marimo-via-Hugging-Face campaign, and the inconsistent CVE assignment is not a sophistication gap. It is a governance gap. AI tooling has been deployed into production at scale ahead of the inventory, vulnerability management, credential rotation, and patching discipline that was built for more conventional infrastructure. Visibility is security. Right now most organisations have almost none over this layer of their own stack.

The Monday question: if every AI agent in your environment were hostile tomorrow, what would they be able to touch? If the answer is "we don't know," that is the programme gap to close first.

Reference: AI Influence Level from Daniel Miessler

Till next time!

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.