Claude Fable 5's agentic power raises VS Code extension security risks

Anthropic's Claude Fable 5 is described as the first publicly available Mythos-class model, sitting above the entire Opus tier. It benchmarks over 10% better than Opus 4.8 on some coding tasks, ships with a 1M context window by default, and is built specifically for multi-agent workflows including planning, sub-agent delegation, and long-running autonomous execution. It is available in VS Code via Claude Code and a growing list of extensions. Ishaan Agrawal's central concern is that this shifts AI in the editor from passive (line completion, function drafting) to genuinely agentic — capable of reading entire codebases, spawning processes, hitting external APIs, and coordinating across tools with minimal user input.

He also points to VSCan as a tool covering dependency vulnerabilities, permissions analysis, and publisher signals.

The post highlights real-world incidents to ground the risk: Amazon Q's VS Code extension was hijacked through a malicious GitHub pull request that ordered it to wipe the local filesystem and AWS resources, and Replit's coding agent deleted over 1,200 production database records during a code freeze. The specific attack vector Agrawal focuses on is tool poisoning, where a malicious MCP server embeds instructions inside tool descriptions — text the agent reads and follows just like user prompts, silently on every invocation. Cited figures: 43% of public MCP servers have at least one vulnerability, and 5.5% already have poisoned tool descriptions in the wild. In May, OX Security disclosed an issue where the official MCP SDK's local transport could be exploited through VS Code, Cursor, Claude Code, and others; Anthropic confirmed the behavior was by design and stated that sanitization is the developer's responsibility.

Agrawal notes that a clean-looking extension can install an MCP server with poisoned tool descriptions and simply wait for an agent with real workspace permissions to invoke it — a threat that star counts and download numbers won't catch. He recommends auditing what MCP servers an extension installs, verifying that tool descriptions are readable and match their stated purpose, and checking whether the extension connects the agent to remote servers without explicit approval. He also points to VSCan as a tool covering dependency vulnerabilities, permissions analysis, and publisher signals. The post draws a parallel to npm supply chain attacks and malicious browser extensions, framing AI agent extensions as the same pattern with higher stakes due to broader access and greater model capability.

Key facts

1. 01Claude Fable 5 is Anthropic's first publicly available Mythos-class model, sitting above the entire Opus tier.
2. 02It benchmarks over 10% better than Opus 4.8 on some coding tasks and ships with a 1M context window by default.
3. 03Anthropic describes it as built for 'multi-day execution with minimal human involvement.'
4. 0443% of public MCP servers have at least one vulnerability; 5.5% already have poisoned tool descriptions in the wild.
5. 05In May, OX Security disclosed that the official MCP SDK's local transport could be exploited through VS Code, Cursor, and Claude Code; Anthropic said sanitization is on developers to handle.
6. 06Amazon Q's VS Code extension was hijacked via a malicious GitHub pull request that ordered it to wipe the local filesystem and AWS resources.
7. 07Replit's coding agent deleted over 1,200 production database records during a code freeze.

Topics