Notifications
Clear all
Topic starter
12/06/2026 9:17 pm
TL;DR: Claude Code’s ability to read code, fetch web pages, run commands, and call MCP tools creates a large prompt injection attack surface when permissions are skipped, according to Lasso Security. The real issue is not model capability but the collapse of trust boundaries around untrusted content and trusted execution.
NHIMG editorial — based on content published by Lasso Security: The Hidden Backdoor in Claude Code: Why Its Power Is Also Its Greatest Vulnerability
By the numbers:
- The defender includes 50+ regex patterns across all four injection categories.
Questions worth separating out
Q: How should security teams govern AI assistants that can read untrusted content and execute tools?
A: They should govern the assistant as an action-capable identity, not as a passive chatbot.
Q: Why do AI assistants with MCP access create a larger governance problem than standalone prompts?
A: MCP turns content ingestion into delegated access across multiple systems, so a poisoned source can influence both reasoning and action.
Q: What do security teams get wrong about prompt injection defenses?
A: They often assume model resistance is enough, when the real weak point is the context pipeline.
Practitioner guidance
- Classify every tool output as untrusted input Scan repository files, web fetches, issue text, and MCP responses before they enter the model context, and treat suspicious language as a security event rather than a prompt quality issue.
- Reduce approval-free execution paths Avoid broad use of danger-skip permissions, and scope elevated access so the assistant cannot freely chain content ingestion into command execution across unrelated systems.
- Map MCP connections as separate trust boundaries Document which services can supply content, which can trigger actions, and which can reach sensitive data, then review those paths as if they were distinct identities with delegated access.
What's in the full article
Lasso Security's full blog covers the operational detail this post intentionally leaves for the source:
- The full four-category prompt injection taxonomy with example payloads and decoding patterns
- Step-by-step setup details for the PostToolUse hook in Python and TypeScript
- Enterprise managed-settings options, including how allowManagedHooksOnly changes enforcement
- The exact pattern files and deployment structure used to extend detection coverage
👉 Read Lasso Security's analysis of prompt injection in Claude Code →
Claude Code prompt injection: are your controls keeping up?
Explore further
12/06/2026 11:15 pm
Prompt injection is an identity problem because the actor making decisions is no longer the human at the keyboard. The moment Claude Code can read untrusted content and act on it with reduced approval gates, the security boundary shifts from user intent to delegated execution. That makes trust, authorisation, and context integrity part of the identity control plane, not just prompt engineering. Practitioners should treat this as AI identity governance, not an isolated application bug.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when an AI assistant executes an unsafe command after reading hostile content?
A: Accountability sits with the programme that granted the assistant its permissions, tool scopes, and deployment controls. The model did not self-authorise. Security, platform, and application owners all share responsibility for ensuring the assistant cannot convert untrusted input into privileged output without oversight.
👉 Read our full editorial: Claude Code prompt injection exposes hidden backdoor risks
