AnalysisCybersecurityJuly 14, 2026
Claude Code subagent returns prompt-injection payload
A Reddit user reports a Claude Code subagent returned a prompt-injection payload with hidden 'never tell the user' instructions after 22 seconds of no tool calls. The post describes a potentially dangerous security issue in automated code review workflows.