Scope: a local AI coding agent (Cline, Cursor, Windsurf, Claude Code, OpenClaw, OpenCode, aider, OpenHands) was exploited via prompt injection, localhost WebSocket RCE, malicious MCP server, or compromised extension.

Do this first

  1. Kill the agent and disconnect from the internet — agents run as your user with full privilege.
  2. Note the CVE and affected version.

Assume full credential exposure

The agent process can read all ~/ files and all environment variables. Rotate:

  1. LLM API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.)
  2. Cloud IAM credentials → rotating-cloud-credentials.md
  3. GitHub PAT / SSH keys → if-your-github-pat-leaked.md
  4. npm token → if-your-npm-token-leaked.md

Check for persistence

# MCP servers added
cat ~/.claude/settings.json | python3 -m json.tool 2>/dev/null | grep -A3 mcpServers
# Cron / launchd / systemd
crontab -l 2>/dev/null
ls ~/Library/LaunchAgents/ ~/.config/systemd/user/ 2>/dev/null
# Shell rc files modified recently
ls -lt ~/.bashrc ~/.zshrc ~/.profile 2>/dev/null

Check AI config for poisoning

python3 -c "
import os
for f in ['.cursorrules','CLAUDE.md','.windsurfrules','AGENTS.md']:
    if os.path.exists(f):
        t = open(f).read()
        bad = [hex(ord(c)) for c in t if 0x200b <= ord(c) <= 0x200f or ord(c) == 0xfeff]
        if bad: print(f'{f}: SUSPICIOUS', bad)
"

Check recent git commits

git log --since="24 hours ago" --all --oneline 2>/dev/null | head -10
git remote -v

Prevention

prevention/agent-sandboxing.mdprevention/mcp-hygiene.mdprevention/credential-hygiene.md