Cross-Agent Privilege Escalation: When Agents Free Each Other · (embracethered.com)

Researcher findings describe a new, practical class of cross-agent privilege escalation where a compromised coding agent can rewrite another agent’s configuration and “free” it from sandbox restrictions, enabling arbitrary code execution. In the demo chain, an indirect prompt injection hijacks GitHub Copilot (which can still create/write dotfiles like .vscode/settings.json, .vscode/mcp.json) to modify Claude Code’s local MCP config (.mcp.json or .claude/settings.local.json) or instruction files (AGENTS.md, CLAUDE.md). When the second agent (Claude) later runs, it picks up the malicious config, connects to a hostile MCP server or allowlists shell commands, and executes attacker-controlled code — and the loop can continue with agents reconfiguring each other. This is significant because it exposes a systemic design flaw: many agentic tools write files without explicit user permission and lack isolation of per-agent configuration, creating multi-agent attack chains rather than single-agent compromises. Technical vectors include writing tasks to .vscode/tasks.json, modifying MCP servers, and injecting custom instructions files. Mitigations recommended are strict config isolation, banning automatic writes to dotfiles, prompting before changes, least-privilege execution, and treating untrusted data as prompt-injection risk. The researcher responsibly disclosed the demo to MSRC (no immediate patch required), but warns this pattern represents accumulating security debt and calls for stronger secure defaults across agent tooling.