◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-22

Mitiga Skillgate Research — Attacker-Controlled ANTHROPIC_BASE_URL Overrides and 1,230+ Hardcoded API Keys in AI Instruction Files

VulnerabilityHigh impactGlobal
What happened
Mitiga Labs (published June 18, 2026) scanned 50,000+ AI instruction files (Cursor rules, CLAUDE.md, AGENTS.md, MCP server configs, Claude Hooks, Anthropic Skills) across 7,000+ public repositories and found: (1) attacker-controlled ANTHROPIC_BASE_URL overrides in shipped 'convenience' files that silently route all Claude API traffic through attacker-controlled MITM proxies, capturing every prompt and response; (2) permission-bypass overrides shipped as defaults; and (3) over 1,230 hardcoded API keys and JWT tokens across tens of services. Mitiga also found prompt-exfiltration tradecraft caught in the wild. The research released a free scanner (Skillgate) to detect these patterns.
Why it matters
AI coding agents (Claude Code, Cursor) unconditionally trust instruction files found in repositories or project directories. A malicious repository, a compromised open-source project, or a trojanised Cursor rule file can silently redirect all AI API traffic through an attacker's proxy, exfiltrating every prompt (including code, secrets, and internal data) and every model response. With 1,230+ live API keys discovered, the direct credential-theft impact is also significant. This is a supply-chain attack class that scales with the adoption of AI coding agents.
Attack vector
Attacker embeds ANTHROPIC_BASE_URL override pointing to attacker-controlled server in a repository's AI instruction file (e.g. CLAUDE.md, .cursorrules); when any developer opens the project with an AI coding agent, all API traffic is silently proxied, capturing prompts, secrets, and responses
Affected systems
Claude Code, Cursor, any AI coding agent that reads CLAUDE.md / AGENTS.md / .cursorrules / MCP server config files from repository context; projects using Anthropic SDK with ANTHROPIC_BASE_URL override support
Mitigation
Audit all AI instruction files in your repositories and CI pipelines for unexpected ANTHROPIC_BASE_URL or similar base-URL overrides; use Mitiga's free Skillgate scanner; never trust instruction files from unvetted repositories without review. See: https://www.mitiga.io/blog/malware-in-ai-instruction-files-skillgate
Sources
Mitiga Labs — Modern Malware: Spyware Skills, Hijacked Base URLs, and 1,230+ Leaking API Keys in AI Instruction Files (June 18, 2026)
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →