For two years the pitch on AI coding agents has been "let it run, you don't need to watch it." I've been pulling on what actually breaks when you take that literally, and the uncomfortable answer is that the scariest failures aren't the agent going rogue. They're the agent doing exactly what it's told -- faithfully -- while someone other than you is the one feeding it the instructions.
A supply chain worm this spring figured that out before most of us did. It didn't hide in a shell profile or a cron job. It wrote itself into the AI agent's own config file, because that's the process that boots every time you sit down to work, holds your tokens, opens your files, and runs commands on a loop. Pull the bad package, clear the cache, do everything muscle memory tells you -- and it's still sitting there waiting for the next session.
What stuck with me is that none of the controls we lean on failed by accident. The approval prompt, the command allowlist, the provenance attestation -- every one was designed for a human reviewing the step before it happens. Then the same vendors shipped walk-away mode on top. You can't sell "you don't need to watch it" and "the allowlist will protect you" in the same breath. One of those is load-bearing and the other isn't, and attackers already know which.
I wrote the full breakdown -- three real CVEs, three layers of the same stack failing along the same fault line. Where's your line on letting an agent run unsupervised?
Read the article here: https://coderlegion.com/20732/i-handed-claude-code-the-keys-turns-out-im-not-the-only-one-using-them
