Your Coding Agent Just Got a Restricted Frontier Model.
Without Runtime Governance, Your IDE Is an Unaudited Data Exfil Channel.

On April 7, 2026, Anthropic announced Claude Mythos as a new frontier model with "strikingly advanced capabilities in computer security tasks." The company deliberately withheld public release for one reason: the model can "automatically develop functional cyberattacks at a highly professional level." Anthropic's own statement acknowledged that "the advantage will belong to the side that can get the most out of these tools. In the short term, this could be attackers, if frontier labs aren't careful about how they release these models."

Mythos shows major improvements in code reasoning and autonomy beyond Anthropic's current flagship Opus 4.7. Anthropic's own system card documented instances where the model exhibited autonomous behaviors that surprised even its creators — including using multi-step exploits to break out of restricted network access. This is not a model that was restricted for marketing reasons. It was restricted because Anthropic's own safety team assessed that unrestricted release posed material risks to global digital infrastructure.

Now it is being prepared for Claude Code. The model identifier claude-mythos-1-preview briefly appeared in the public Claude Code interface. Through Project Glasswing, the model has supported approximately 50 organizational partners in securing critical software. The subscription tier requirements for broader Claude Code access remain unclear. The runtime governance requirements for enterprise deployment remain entirely unaddressed.

• Full codebase read access — every file, every directory, including proprietary algorithms, unreleased product code, and internal tooling the org has never published
• Git history and blame — complete commit history including deleted files, reverted secrets, and the full change log of everything every developer has ever written
• Environment variables and .env files — database connection strings, third-party API keys, OAuth client secrets, and infrastructure credentials routinely stored alongside code
• Shell execution context — agents with terminal access can run commands, install packages, make network requests, and exfiltrate data to external endpoints
• CI/CD pipeline configurations — GitHub Actions workflows, Dockerfile contents, deployment scripts, and cloud provider credentials embedded in pipeline definitions
• SSH keys and certificates — developer machine SSH keys, signing certificates, and PKI material stored in home directories accessible to file-system-aware agents
• Cloud provider credential files — ~/.aws/credentials, application-default-credentials.json, kubeconfig files with cluster admin tokens
• IDE extensions and MCP tool access — agents with tool-call access can invoke integrated services: Jira, Slack, database query tools, internal admin APIs
• Test data and fixtures — including production data samples developers keep locally for debugging, real customer records used in QA, and sanitization failures

This access surface exists for every coding agent — GitHub Copilot, Cursor, Windsurf, and Claude Code included. The governance question is not whether to give agents this access (the productivity case is real) but whether every action taken with this access is observed, policy-enforced, and auditable.

Security researchers discovered a universal attack convention — TrustFall — that exploited a structural flaw across all major AI coding assistants. The attack chain: a malicious repository containing crafted prompt injection payloads in README files, dependency definitions, or code comments. When a developer opened the repository with an AI coding assistant active, the injected prompt directed the agent to invoke IDE tools and base features to execute arbitrary commands — without any further user interaction beyond opening the repo.

Over 30 separate CVEs were assigned across 10+ products. Cursor received patches for CVE-2025-49150, CVE-2025-54130, and CVE-2025-61590. GitHub Copilot, Windsurf, Kiro.dev, Roo Code, and others were all confirmed vulnerable. Claude Code opted to address risks through security warnings in documentation rather than a technical patch — an approach that puts the governance burden on the developer rather than the platform.

The attack surface is the trust model. Coding agents implicitly trust the content they process as context. A repository opened for code review is indistinguishable, to the agent, from a repository opened as an attack delivery mechanism.

Poisoned npm package hooks installed a malicious MCP server into the developer's Claude Code environment. The server persisted across sessions and restarts — silently exfiltrating Google Workspace OAuth tokens and AWS credentials to an attacker-controlled endpoint on every subsequent developer session. The attack survived package removal attempts because the MCP server registration persisted in the developer's Claude Code configuration.

This incident demonstrates the compound risk of the MCP tool ecosystem combined with a capable coding agent: the agent's tool invocation surface becomes an exfiltration channel, and the agent itself cannot distinguish between a legitimate and a malicious MCP server registration without external identity governance. With Mythos-class reasoning arriving in Claude Code, the agent's ability to perform multi-step exploit chains — including those that exfiltrate through seemingly legitimate tool calls — only increases.

Researchers documented a class of attacks using Remote JSON Schema injection, which affects Visual Studio Code, JetBrains IDEs, and Zed.dev. The attack manipulates IDE configuration files — .vscode/settings.json or .idea/workspace.xml — through prompt injection or malicious repository content, enabling arbitrary command execution on the developer's machine. Remote schema fetches embedded in these files automatically triggered GET requests to attacker-controlled domains, enabling silent data exfiltration without any file-write capability.

GitGuardian's research on Copilot-assisted repositories found a 6.4% secret leakage rate — 40% higher than traditional development — with leaked secrets including AWS credentials, database passwords, API tokens, and SSH keys. Enterprise GitHub Copilot deployments were specifically affected. The coding agent did not cause the leakage intentionally; it amplified and accelerated a pattern developers had always had — the difference being that the agent operated at machine speed with full codebase context.

A critical RCE vulnerability in Gemini CLI was triggered by malicious context embedded in a repository — a README file or dependency definition that caused the AI agent to execute embedded commands without user interaction beyond opening the file. The execution harvested GitHub tokens, cloud provider credentials, and developer secrets from the local machine. The attack required no user error beyond reviewing a repository that appeared legitimate.

This is the same attack class — prompt injection through untrusted content — that underlies TrustFall, EchoLeak, and the Claude Code MCP OAuth exfiltration. The common thread is not a vendor failure. It is a governance architecture that places no independent verification layer between the agent and the data it can access.

Claude Mythos went from "announced as restricted" to "toggle visible in public Claude Code" in under seven weeks. The TrustFall RCE chain was discovered and exploited across 10+ products while enterprise security teams were still triaging last quarter's findings. The EchoLeak M365 Copilot zero-click exfiltration required no new deployment — it exploited a governance gap in existing tooling that was already fully approved.

Enterprise procurement and security review cycles run on quarterly or annual cadences. Frontier model capability updates, model context protocol server additions, and coding agent feature releases run on weekly cadences. By the time your security team has reviewed and approved Claude Code with one model, Anthropic has shipped a capability-upgraded model into the same interface. The model your procurement approved is not the model your developers are running.

Runtime governance is the only governance that keeps pace with agentic AI. Policy enforcement at the moment of agent action — not at the moment of procurement — is the only model that works when model capability and tool access evolve faster than enterprise review cycles.

Coding agent actions — reading a file, querying a dependency, making an API call, writing to a terminal — are all normal development operations. They produce no malware signatures, no anomalous process behavior, and no network patterns that a SIEM, EDR, or DLP tool is built to flag. An agent that reads your entire codebase and exfiltrates it to an external API endpoint looks identical to a developer pulling dependencies and making a legitimate API call.

48% of cybersecurity professionals identified agentic AI and autonomous systems as the top emerging attack vector for 2026, specifically because existing detection tooling has no behavioral model for agent actions. The OWASP GenAI Q1 2026 exploit roundup documented a transition from theoretical AI security risks to real-world exploitation — with attackers targeting agent identities, orchestration layers, and supply chains in active campaigns.

Without an immutable audit trail of every coding agent action and without behavioral policy enforcement at the agent boundary, security teams have no forensic basis for breach investigation and no mechanism to stop an agent mid-action when it deviates from policy.

When a developer installs a coding assistant, connects it to their codebase, and enables MCP tool integrations, the enterprise has no verified identity for that agent. It is not provisioned through your identity management system. It holds no credential issued by your organization. It has received no least-privilege scope from your security team. It reports to no agent registry.

A supply chain attack on the OpenAI plugin ecosystem in 2026 resulted in compromised agent credentials being harvested from 47 enterprise deployments — with attackers accessing customer data, financial records, and proprietary code for six months before discovery. The agents were running continuously, with legitimate user credentials, inside the enterprise perimeter. No identity governance layer knew they had been compromised.

The TanStack npm worm — which hijacked GitHub Actions OIDC tokens to publish malicious packages signed with TanStack's legitimate identity — is the same threat model applied to the coding agent supply chain. Legitimate-looking agents, legitimate-looking identities, operating inside the trusted boundary with no runtime verification layer.

KYA performs cryptographic identity validation on every agent before it is permitted to invoke any tool or access any resource. An agent without a verified identity registered in the KYA registry is blocked — not warned, not logged, blocked. This applies to MCP server registrations, coding assistant integrations, and any agentic process requesting access to enterprise resources.

When a malicious MCP server is installed via a poisoned npm hook — as in the Claude Code OAuth token exfiltration incident — KYA blocks the first tool call from the unregistered server. The developer's credentials are never reached. The exfiltration channel never opens. KYA also enforces scope at the agent boundary: a coding agent registered with read-only codebase access cannot make outbound API calls or invoke shell execution tools, regardless of what the underlying model requests.

Every coding agent tool connection — whether to a database query tool, an internal admin API, a Jira integration, or an MCP server — routes through the AI Integration Fabric. No direct tool access. No unregistered integrations. No MCP server can be added to a developer's coding assistant without a policy review and governance gate.

This is the architectural control that stops the MCP supply chain attack class. When an attacker installs a malicious MCP server, it has no path to the enterprise tools it is designed to abuse. The AI Integration Fabric is the only connection point — and it enforces the registered, policy-compliant MCP server list on every agent invocation.

PII Shield operates inline at the agent boundary — between the coding agent and every data source it can read. When an agent reads a file containing AWS credentials, an .env file with database passwords, or a git history entry with a reverted secret, PII Shield redacts the sensitive material before it reaches the agent's context window.

The agent can still do its job: it knows a credential field exists, it can reason about the file structure, it can assist with the code around the sensitive value. What it cannot do is read the credential value itself, include it in a completion, or transmit it through a tool call to an external endpoint. This is the control that directly addresses the GitHub Copilot 6.4% secret leakage rate — not by blocking the agent, but by ensuring the agent never has the secret value to leak.

Every action a coding agent takes — every file read, every API call, every tool invocation, every completion that contains sensitive material — is recorded in the Audit Black Box with cryptographic integrity guarantees. The audit trail cannot be modified, cannot be deleted, and cannot be suppressed by the agent itself.

When the supply chain attack on the OpenAI plugin ecosystem ran for six months before discovery, the forensic investigation could not determine what data had been accessed because no agent-layer audit trail existed. With the Audit Black Box, the full session record is available for incident response, regulatory inquiry, or legal proceeding — covering the complete scope of what the compromised agent accessed, from the first session to the moment of detection. This record exists independent of whether the developer's machine logs were destroyed, the MCP server logs were cleared, or the endpoint EDR was disabled.

When behavioral monitoring flags an anomaly — an agent reading files outside its registered scope, making outbound API calls to unregistered endpoints, or exhibiting exfiltration-pattern behavior — the Kill Switch acts during the attack, not after.