Notifications
Clear all
Topic starter
04/06/2026 3:02 pm
TL;DR: A flaw in VS Code's MCP install dialog let a single click hide environment variables and headers, enabling remote code execution or silent session hijacking for AI tooling, according to Oasis Security's research. The issue shows that AI agent governance fails when install-time trust is assumed but never truly inspected.
NHIMG editorial — based on content published by Oasis Security: Envade: One Click in VS Code, Full Shell for the Attacker
Questions worth separating out
Q: What breaks when MCP install dialogs hide runtime settings?
A: The approval step breaks because the user is reviewing an incomplete trust boundary.
Q: Why do hidden MCP credentials and headers matter so much?
A: They matter because they can change which identity a tool uses after installation.
Q: How should security teams govern AI tools that write into workspace settings?
A: Treat every workspace-held setting that affects authentication, startup behaviour, or remote access as a governed identity artefact.
Practitioner guidance
- Audit persisted MCP configuration, not just install previews Review mcp.json files and any workspace-scoped settings for env, envFile, headers, cwd, and startup-loader values that were not intentionally entered.
- Block hidden credential injection paths in developer tooling Require install flows to render every persisted setting that can influence execution or authentication, including Authorization headers and environment variables.
- Inventory AI tooling as non-human identity surface Map which MCP servers, assistants, and extensions can access credentials, external APIs, or production systems, then assign owners and review cadence for each identity-bearing component.
What's in the full report
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- The exact hidden settings pattern that allowed env and header values to survive the MCP install flow
- The proof-of-concept attack sequence showing how a crafted deeplink turns into local execution
- The specific configuration strings security teams should grep for in existing workspaces
- The MSRC disclosure timeline and the VS Code version that closes the flaw
👉 Read Oasis Security's analysis of the VS Code MCP install dialog flaw →
VS Code MCP install dialog flaw: are your controls keeping up?
Explore further
04/06/2026 3:16 pm
Install-time disclosure is the control, and it failed here because the runtime state outgrew the preview state. The dialog was supposed to be the moment when a human validated what an external party was adding to a workspace. Instead, the persisted configuration contained values that never appeared in the review surface, so the approval step was operating on incomplete information. The practitioner conclusion is that install dialogs for MCP and similar AI tooling must be treated as identity control points, not convenience UX.
A few things that frame the scale:
- Only 18% of MCP server deployments implement any form of access scoping for tool permissions, according to The State of MCP Server Security 2025.
- 53% of MCP servers expose credentials through hard-coded values in configuration files, according to Astrix Security research.
A question worth separating out:
Q: When should organisations treat developer AI tooling as an NHI risk?
A: As soon as the tool can store credentials, call external services, or act on a user's behalf without re-authenticating each time. At that point, it is no longer just software configuration. It is part of the non-human identity estate and should be governed with ownership, scoping, and revocation controls.
👉 Read our full editorial: VS Code MCP install dialog flaw exposes agent identity risk
