Attack surface analysis of AI coding assistants, agent frameworks, and Model Context Protocol servers. Prompt injection, authorization bypasses, and the new class of bugs that ship with LLM-integrated tooling.
The OAuth server fronting Zomato's MCP endpoint rewrites the scope request and issues tokens labeled 'offline openid' that nonetheless call every MCP tool, including checkout_cart. The advertised mcp:tools / mcp:resources / mcp:prompts scopes are never enforced at the application layer.
Claude Code's Bash permission deny rules can be completely bypassed by writing denied commands into a script file and executing it. The parser evaluates only the script path, not its contents. Five explicitly denied commands executed and exfiltrated data to an external endpoint.
How a hidden HTML comment in a GitHub Gist caused Windsurf’s Cascade agent to read SSH keys and AWS credentials, then exfiltrate them to an attacker-controlled endpoint with …
Windsurf’s Cascade agent reads and writes files outside the workspace with zero confirmation, even with Auto Execution set to Disabled. The review prompt on writes is …
The Claude Code remote-control session events endpoint lacks per-session authentication, enabling invisible remote command execution from any machine on the internet.
A malicious MCP server can misrepresent tool actions in Claude Code's confirmation prompt, causing users to approve a file read while the server silently executes system commands.
How the 'Use this and all future MCP servers' option grants permanent, unbounded trust to arbitrary MCP server definitions added after the initial consent.
How a one-time trust decision in Claude Code enables silent arbitrary command execution when .mcp.json is modified after initial approval.