I Gave Claude Code the Keys. So Did a Worm.

Three vulnerabilities from the last few months, three different layers of the AI-coding-agent stack, one root cause. None of them is the model getting "jailbroken." Each is the agent doing exactly what it's built to do, with your credentials, while someone else supplies the input. Here's the mechanism on each, and what actually mitigates it.

The first one lives in your agent's config file.

The worm that lives in your agent's config (Mini Shai-Hulud)

In May, a self-propagating supply chain worm tracked as Mini Shai-Hulud (attributed to a group called TeamPCP) hit 170+ npm and PyPI packages in a single wave, including TanStack, Mistral AI, and OpenSearch projects. The campaign has kept resurfacing in new variants through June.

Standard supply-chain stuff until you look at where it persists. It doesn't just harvest credentials and leave -- it writes itself into the developer toolchain's own config: