The Coding Agent Ecosystem Is Now a Target
Attackers aren't just targeting what coding agents do — they're going after the entire ecosystem around them. InstallFix is only the latest example.

Attackers are seriously going after the coding agent ecosystem. This is no longer a theoretical risk — it’s an active, expanding campaign surface, and the pace is accelerating.
Here’s a recent data point: a campaign called InstallFix bought search ads targeting developers looking up how to install Claude Code. The ads pointed to fake installation guides. Developers who followed them had their credentials, API keys, and SSH keys silently exfiltrated.
The lure works because the situation is real. These tools are CLI-based. Setup isn’t always obvious. Developers move fast and trust Google results. That combination — legitimate confusion, high-trust context, and speed — is exactly what makes this attack surface so exploitable.
But InstallFix is a single campaign. The more important story is the trend behind it.
Targeting the Ecosystem, Not the Code
Over the last year we’ve seen a consistent pattern of attacks targeting not the code that coding agents write, but the ecosystem and runtime that surrounds them:
Supply chain attacks on MCP servers. Model Context Protocol servers extend what agents can do — and attackers know it. Malicious or compromised MCP servers can feed agents harmful instructions, exfiltrate context, or pivot into the host environment.
Malicious VS Code extensions. Extensions have always been a vector, but the integration of coding agents into the IDE has raised the stakes. A malicious extension with access to agent sessions has access to everything the agent touches.
Typosquatted packages built for AI workflows. Attackers are registering package names that closely resemble tools common in agent setups — slightly misspelled, plausibly named, ready to harvest credentials from developer machines.
Malicious skills and plugins. Skills extend what an agent can do locally. A malicious skill can manipulate agent behavior, intercept sensitive context, or grant itself access to resources the developer never intended to expose.
What these attacks share is a common logic: get into the agent’s trust boundary before the agent starts working. Once inside that boundary — as a server, extension, package, or skill — you inherit everything the agent can reach.
The Gap Being Exploited
The tools are moving faster than the security awareness around them. Developers are adopting coding agents at a pace that outstrips the usual institutional controls: security reviews, vendor vetting, package audits, extension governance. The result is a wide-open window for attackers who are clearly paying attention.
Attackers aren’t just targeting what coding agents do. They’re targeting the entire ecosystem around them: the install flow, the extensions, the dependencies, the configuration, the servers the agent connects to.
That’s a fundamentally different threat model than securing the model itself.
What To Do About It
Security teams and developers running coding agents should treat the agent ecosystem the same way they’d treat any complex software supply chain — because that’s exactly what it is:
- Verify installation sources. Official docs, official package managers. Treat any third-party “installation guide” with the same skepticism you’d give an unknown installer.
- Audit extensions and plugins. Know what’s installed, what it has access to, and where it came from. Unknown provenance is a red flag.
- Review MCP server connections. Understand which servers your agents connect to and what permissions they’re granted. High-privilege MCP connections deserve scrutiny.
- Generate SBOMs for agent toolchains. Treat the agent’s dependency graph as a security artifact, not just a dev concern.
- Monitor runtime behavior. Installation-time controls help, but agents operate dynamically. Visibility into what an agent actually does at runtime is the only way to catch what static review misses.
The research from NeuracybIntel on the InstallFix campaign is worth reading in full. The technical detail grounds what can otherwise feel like an abstract threat.
The attack surface is already much wider than most organizations realize. The question isn’t whether your agent ecosystem is a target. It is. The question is whether you have the visibility to know what’s happening inside it.