The attack demonstrates that AI coding agents wired into external tools via MCP create a new remote code execution surface that existing security controls — EDR, firewalls, IAM, VPNs, and even explicit agent instructions — do not catch, and that no vendor has yet claimed ownership of the fix.