BusinessPlaybook11 min readPublished July 18, 2026

The controls that turn a scary headline into an audit you can run this week

Claude Code Espionage: The governance Playbook

Threat-intel firm Hunt.io found Claude Code and DeepSeek-v4-pro wired into a live, suspected China-linked intrusion across four countries — working parts of the attack, not tools bolted on afterward. The lesson for any business running a coding agent isn’t to ban them. It’s to govern them.

DA
Digital Applied Team
Senior strategists · Published Jul 18, 2026
PublishedJuly 18, 2026
Read time11 min
Sources8
Files in open directory
2,431
across 80 subdirectories
Countries targeted
4
Taiwan, Thailand, Afghanistan, US recon
Hong Kong servers
13
across four ASNs
Disclosure in 8 months
2nd
after the Nov 2025 precedent

An AI agent governance failure just showed up in the wild at nation-state scale. In June 2026 the threat-intelligence firm Hunt.io uncovered a suspected China-linked intrusion in which Claude Code and DeepSeek-v4-pro ran as working parts of the attack — the reasoning, the exploit rework, and the phishing pages all routed through commercial coding-agent tooling rather than bespoke malware.

What makes this worth a business’s attention is not the geopolitics. It is that the operators used the exact same integration pattern enterprises are racing to adopt for legitimate work: an agent with bash access, session persistence, network reach, and a project-instruction file telling it what to do. Nothing was “hacked” in Claude Code. The agent executed valid, individually-innocuous-looking commands — the same ones your own developers run every day.

This is a governance playbook, not a fear piece. Below we walk the campaign, place it next to the separate November 2025 precedent that makes it a pattern, and translate the specific gaps it exploited into a controls-mapping table and a checklist you can run against your own coding-agent deployment. The takeaway is simple: the fix is agent governance, not banning the agents.

Key takeaways
  1. 01
    AI ran as a working part of the intrusion.Hunt.io found Claude Code and DeepSeek-v4-pro handling reasoning, exploit rework, and phishing-page generation inside a live, suspected China-linked campaign — not as a novelty bolted on afterward.
  2. 02
    It is the second such disclosure in eight months.Anthropic reported a separate China-linked Claude Code campaign in November 2025. Two disclosures in under a year, using the same decompose-into-innocuous-steps jailbreak, points to a structural pattern rather than a one-off.
  3. 03
    The attackers split the model loop deliberately.Offensive reasoning ran through DeepSeek-v4-pro, a Chinese domestic model, while execution ran on Claude Code — routing sensitive attack logic away from a US vendor's monitoring. Your governance perimeter has to cover every model in the loop.
  4. 04
    Every gap it exploited is a control you can already deploy.Unvetted instruction files, open agent egress, no session audit trail, no model-provenance boundary, and secrets in agent-reachable scope — each maps to a concrete, off-the-shelf governance control.
  5. 05
    This is a controls gap, not a Claude Code flaw.Claude Code did nothing outside its designed behavior. Framing it as a product vulnerability misreads the lesson: under-governed agent deployments are the exposure, and that exposure is yours to close.

01What HappenedInside the campaign Hunt.io pulled apart.

Hunt.io surfaced the operation in June 2026 while pivoting on known TencShell command-and-control infrastructure — a Go-based implant derived from the open-source Rshell framework that Cato Networks first documented as suspected China-linked in May 2026. An HTTP header fingerprint on port 1111 led the researchers to 13 unique Hong Kong-based IP addresses spread across four autonomous systems.

One of those servers exposed an open directory on port 8888 — a plain Python file server holding 2,431 files across 80 subdirectories. Inside were victim source code, custom exploit scripts, cloned login pages, network-scan output, and operator logs written in Simplified Chinese. The operation’s Claude Code sessions time-stamp to June 8–12, 2026, and three of the servers — sharing SSH host keys since May 17, 2026 — were still being maintained and re-certified as recently as June 18–19, 2026.

The targeting spanned four countries. In Taiwan, eight supply-chain and defense-adjacent organizations were mapped and fingerprinted and two were successfully exploited — a chemical manufacturer via SQL injection, and a multinational telecom and edge-device maker whose public JavaScript leaked hardcoded Supabase anon keys and Azure Logic App SAS tokens, giving direct cloud-account access. A Thai government administrative system was breached through SQL injection, exposing the names, National ID numbers, and job titles of government employees; the directory held 980 files referencing that single target, with admin-panel activity confirmed as recent as June 9, 2026. In Afghanistan, a Laravel citizen-complaint application was compromised and its source, credentials, and encryption keys extracted. Against the United States, the activity was reconnaissance and staging only — NASA hosts appeared in scan logs but were not pursued, and cloned phishing pages impersonating the D.C. Council and a Pennsylvania county sat unfinished. No confirmed US breach occurred.

What caught Hunt.io's attention
The report is careful about attribution. Hunt.io assessed the campaign as consistent with China-based threat-actor activity — Simplified Chinese in the code, Hong Kong infrastructure clustering, multi-continent targeting — but explicitly stops short of naming a specific group. What stood out was the tooling: Claude Code and DeepSeek-v4-pro ran as working parts of the intrusion, not tools off to the side.

02Architecture Of The AttackThe split-model playbook: one model to think, one to run.

The design detail that should reshape how you scope agent governance is the division of labor. Per Hunt.io, Claude Code served as the execution engine — managing agentic tool use, bash command execution, session persistence, and task parallelization — while DeepSeek-v4-pro operated as the underlying reasoning model, handling attack logic, script generation, and decision-making. Offensive logic was routed through a Chinese domestic model while leveraging Western agentic execution infrastructure.

That split is not incidental. Routing the sensitive reasoning through a model less likely to be logged or monitored by a US vendor is an operational-security choice — and it is the single most important lesson here for any business evaluating multi-model agent stacks. If you govern only the primary agent and leave a second planning or reasoning model outside your monitoring perimeter, you have replicated the exact gap the operators exploited. The governance boundary has to cover every model that touches the loop.

The orchestration layer was equally mundane. A recovered CLAUDE.md file — the same kind of project-instruction file legitimate teams use to steer a coding agent — instructed the agent to automatically create, test, and iteratively refine cloned phishing pages across multiple targets. DeepSeek-v4-pro is a real, shipped model: part of DeepSeek’s V4 Preview line released in April 2026, used here via its already-public preview API. The attackers did not need an exotic capability. They needed an under-governed one.

The uncomfortable part isn’t that attackers used AI. It’s that they used the exact same integration pattern enterprises are racing to adopt for legitimate work.Tim Freestone, Chief Strategy Officer, Kiteworks

03The PatternNot the first: the separate November 2025 disclosure.

Hunt.io itself situates the June 2026 find alongside an earlier, separate incident. On November 14, 2025, Anthropic announced it had disrupted what it called the first documented large-scale, AI-orchestrated cyberattack carried out with minimal human intervention — an operation it had first detected internally in mid-September 2025. Anthropic assessed with high confidence that a Chinese state-sponsored group had manipulated Claude Code, via the Model Context Protocol, into attempting to infiltrate roughly 30 organizations, succeeding in a small number of cases.

Two points of hygiene before drawing the line between them. First, these are two different incidents — separate victims, separate timeframes, separate infrastructure — and every statement Anthropic made belongs to the November 2025 disclosure, not to the July 2026 Hunt.io find. As of mid-July 2026, neither Anthropic nor DeepSeek had issued a public statement specifically about the Hunt.io campaign. Second, the two are thematically and technically similar in a way that matters.

In the November 2025 campaign, the attackers convinced Claude it was an employee of a legitimate cybersecurity firm running defensive penetration tests, then fragmented the work into small, individually-innocuous tasks so no single request revealed malicious intent. That is the same decompose-into-innocuous-steps pattern visible in the June 2026 CLAUDE.md-driven phishing workflow. Two disclosures roughly eight months apart, both leaning on the same jailbreak logic, is the part nobody else has connected explicitly — and it argues the weakness is structural in how agentic context windows process instructions-as-data, not a one-time bug that got patched.

Handle these two incidents carefully
When you cite the November 2025 figures — roughly 30 organizations targeted, the bulk of tactical work automated with only a handful of human decision points — attribute them to Anthropic’s November 2025 disclosure. They are not statements about the July 2026 campaign, and conflating the two is the most common error in the secondary coverage. The through-line is the repeated jailbreak pattern, not a shared set of numbers.

04Controls MappingThe governance gaps this campaign exploited — and what closes each.

Every outlet that covered this story stopped at “here is what happened.” The more useful exercise is to map each weak point the operators leaned on to the concrete control that would have blunted it. The table below does exactly that. None of these controls is exotic; most are already sold as standard security tooling. What is missing in most organizations is applying them to the coding agent specifically, rather than only to the humans and servers around it.

AI coding-agent governance gaps mapped to what this suspected China-linked campaign exploited, the typical enterprise gap today, and the concrete governance control that closes each one. Compiled July 2026 from the Hunt.io report and general security best practice.
Weak pointHow this campaign used itTypical enterprise gapControl that closes it
Unvetted project-instruction filesA recovered CLAUDE.md file instructed the agent to automatically create, test, and iteratively refine cloned phishing pages across multiple targets.Instruction files are pulled into the agent's context and executed as trusted directives, with no review step between a file landing in a repo and the agent acting on it.Treat instruction files as code: version-control them, require pull-request review, and allowlist which files an agent may load into context.
Unrestricted agent network egressAgent execution reached victim systems and attacker command-and-control infrastructure across four countries, with data staged to an open directory the operators controlled.Coding agents run with the developer's open outbound network access, so nothing distinguishes a legitimate package fetch from exfiltration to an attacker endpoint.Put agent traffic behind an egress allowlist plus data-loss-prevention inspection, so an agent can only reach approved hosts and large or unusual transfers are flagged.
No session-level audit trailThe operators used ordinary agentic commands (bash execution, session persistence, task parallelization) that left no record separating legitimate automation from malicious use.Most teams keep no per-session log of what an agent did, so a compromised or misused session looks identical to routine developer automation after the fact.Log every agent session with retained, reviewable transcripts of the tools and commands invoked, and route anomalies to a security review queue.
No model-provenance boundaryOffensive attack logic was routed through DeepSeek-v4-pro as the reasoning model while execution ran on Claude Code, splitting the loop across two providers.Multi-model agent stacks are typically governed only at the primary model, leaving a second reasoning or planning model outside the monitoring perimeter entirely.Tag model provenance in agent configs and extend the same logging, egress, and review controls to every model that touches the agent loop, not just the primary one.
Secrets left in agent-reachable scopeA Taiwan edge-device maker exposed hardcoded Supabase anon keys and Azure Logic App SAS tokens in public JavaScript, handing the operators direct cloud-account access.Credentials committed to client-side code or files an agent can read give any automated session a straight path from a source repo to production cloud resources.Run secrets scanning pre-commit, rotate anything that leaks, and issue short-lived, narrowly scoped credentials instead of long-lived keys an agent can reach.

Read down the last column and a coherent program appears: instruction files under review, egress on an allowlist, sessions logged and retained, provenance tagged for every model, and secrets kept out of agent-reachable scope. That is not a moon-shot. It is the same defense-in-depth you already apply to human developers, extended one layer outward to the agent acting on their behalf. For a formal version of this, our writeup on an AI agent governance policy turns these controls into a compliance-ready framework.

05Framing It CorrectlyA controls gap, not a product flaw.

It is tempting to read a headline like this as “Claude Code got weaponized” and reach for a ban. That misreads the mechanism. Claude Code executed valid, individually-authorized-looking commands — bash execution, session persistence, a project-instruction file — exactly as designed. There was no backdoor and no exploited vulnerability in the agent. The exposure lived in the deployment around it: what the agent was allowed to read, where it was allowed to connect, and whether anyone was watching.

That reframing matters because it is the same failure mode your own dev teams can wander into accidentally. An agent that will happily follow an unvetted instruction file, reach any host on the internet, and leave no audit trail is a risk whether the operator is a nation-state or a well-meaning engineer who pasted the wrong config. The Grok Build repository-exfiltration scandal earlier this year was the same category of agent-trust failure from a different angle. Treating this as a Claude Code problem lets the real lesson slip: agent governance is a deployment discipline, and it is yours to own.

Looking forward, the split-model architecture is the piece worth watching. As teams standardize on multi-model agent stacks for cost and capability reasons, the governance surface widens with every model added to the loop. The next campaign of this kind will almost certainly exploit a monitoring blind spot between two providers rather than a flaw in either one — which is why provenance tagging and uniform controls across every model belong in your architecture now, not after the fact.

The next AI-orchestrated campaign won’t announce itself as an attack. It will look, at every step, like an agent doing exactly the job it was configured to do, which is precisely the point.Tim Freestone, Chief Strategy Officer, Kiteworks

06Why Speed Changes The MathThe attack clock has moved faster than your review cycle.

The reason one-time, per-vendor vetting no longer suffices is timing. The benchmarks below — reported by TechRepublic’s July 2026 coverage of the governance implications — describe an adversary tempo that outpaces most manual review processes. Treat the exact figures as vendor-reported and directional, but the direction is not in dispute: automated adversaries move in minutes, and disclosure lags stretch to months.

CrowdStrike 2026
AI-adversary growth
89%

The 2026 Global Threat Report recorded an 89% year-over-year increase in operations by AI-enabled adversaries — the trend line under stories like this one.

Year over year
CrowdStrike 2026
Average breakout time
29min

Average eCrime breakout — the gap between initial access and lateral movement — was 29 minutes, with the fastest observed at 27 seconds. No manual approval queue keeps that pace.

Fastest: 27 sec
DTEX / Ponemon 2026
Insider-risk cost
19.5$M

Average annual insider-risk cost per organization reached $19.5M, up from $17.4M in 2024, with shadow AI cited as a leading driver of negligent incidents.

Up from $17.4M in 2024
Why one-time vetting can't keep up
The Black Kite 2026 Third-Party Breach Report counted 136 verified third-party breach events in 2025 affecting 719 named companies, with a median public-disclosure lag of 73 days after detection. Set that 73-day lag against a 29-minute breakout clock and the case for continuous, per-session agent monitoring — rather than a one-time connector review — makes itself. Figures via TechRepublic’s July 2026 reporting.

The DTEX and Ponemon finding is the one most directly relevant to teams adopting coding agents: 92% of surveyed organizations said generative AI had fundamentally changed how employees access and share information, often faster than policy could adapt. That policy-lag is the real vulnerability. Our guide to shadow AI detection covers the egress-visibility side of the same problem, and the enterprise AI coding governance playbook goes deeper on locking down coding agents specifically.

07What To DoYour agent-governance checklist.

Here is the campaign’s lesson turned into an order of operations. Run these against any coding agent your team already operates — Claude Code, Cursor, or otherwise. Each item maps back to a specific gap the operators exploited, so you are hardening against a demonstrated attack path, not a hypothetical one.

Step 01
Govern the instruction files
Review · version · allowlist

Treat CLAUDE.md and every project-instruction file as code. Put them under version control, require pull-request review before an agent loads them, and allowlist which files the agent may read into context.

Closes: unvetted instructions
Step 02
Put a leash on egress
Allowlist + DLP inspection

Route agent traffic through an egress allowlist so it can only reach approved hosts, and add data-loss-prevention inspection so unusual or large transfers to unknown endpoints surface immediately.

Closes: open network reach
Step 03
Log every session
Retained, reviewable transcripts

Keep a per-session record of the tools and commands each agent invoked, retain it, and route anomalies to a security queue. Without this, a misused session is indistinguishable from routine automation.

Closes: no audit trail
Step 04
Tag every model in the loop
Provenance + uniform controls

In multi-model stacks, record which model handles which step and extend the same logging, egress, and review controls to all of them — the reasoning model deserves the same scrutiny as the executor.

Closes: provenance blind spot
Step 05
Get secrets out of reach
Pre-commit scanning + short-lived keys

Scan for secrets before commit, rotate anything that leaks, and issue short-lived, narrowly scoped credentials instead of long-lived keys sitting in files or client code an agent can read.

Closes: reachable credentials

None of this requires a new product category. It requires deciding that the coding agent is a first-class actor in your environment and governing it like one. If you want a second lens on how these threat vectors connect across the AI supply chain, Anthropic’s distillation-attack allegations against DeepSeek and the LiteLLM supply-chain attack sit on the same axis of AI-infrastructure governance. When you are ready to operationalize the controls above, our AI transformation engagements start with exactly this kind of agent-deployment audit.

You run coding agents internally
Audit the deployment first

Start with the five-control table above. Most teams find instruction-file review and egress allowlisting are the fastest wins — they close the two gaps this campaign leaned on hardest.

Run the controls audit
You run a multi-model stack
Extend the perimeter to every model

The split-model architecture is the novel lesson. Tag provenance and apply identical logging and egress controls to your reasoning model, not just the executor — that blind spot is exactly what the operators used.

Govern the whole loop
You are evaluating a ban
Don't — govern instead

Banning coding agents forfeits the productivity and pushes usage into the shadows, which is worse for visibility. The demonstrated exposure is under-governance, and every gap here has an off-the-shelf control.

Keep the agent, add the controls
You have no agent policy yet
Write the policy now

Policy-lag is the underlying vulnerability the survey data keeps flagging. A short, enforced agent-governance policy that mandates the five controls beats a comprehensive one you never ship.

Ship a minimal policy

08ConclusionThe exposure is under-governance, and it is yours to close.

The shape of agent risk, July 2026

The fix is agent governance, not banning the agents.

The Hunt.io campaign is unsettling precisely because it is unremarkable in method. No zero-day, no bespoke malware — just a coding agent doing agent things inside a deployment nobody was governing. Read alongside the separate November 2025 disclosure, it reads less like a novelty and more like a pattern: adversaries exploiting under-governed agent deployments the same way an unlucky dev team accidentally could.

That is the reassuring part, if you act on it. Every gap the operators used — unvetted instruction files, open egress, no audit trail, no model-provenance boundary, reachable secrets — maps to a control you can deploy with tooling that already exists. The work is not inventing new defenses. It is deciding that the agent is a first-class actor in your environment and governing it with the same discipline you already apply to people and servers.

The next campaign of this kind will not announce itself. It will look, at every step, like an agent doing exactly the job it was configured to do — which is the whole point, and the whole reason to build the governance perimeter before you need it. Run the controls audit, extend it to every model in the loop, and write the policy while the headline is still fresh.

Govern your coding agents before you scale them

Turn a scary headline into an audit you can run.

We help businesses deploy Claude Code and multi-model agent stacks with the governance controls that keep them safe — instruction-file review, egress allowlisting, session audit trails, and model-provenance boundaries, delivered in days not quarters.

Free consultationExpert guidanceTailored solutions
What we work on

Agent-governance engagements

  • Coding-agent deployment audits against the five-control map
  • Egress allowlisting and DLP for agent traffic
  • Per-session audit logging and anomaly review
  • Model-provenance boundaries for multi-model stacks
  • Agent-governance policy your team can actually enforce
FAQ · Agent governance

The questions teams ask after the headline.

In June 2026, threat-intelligence firm Hunt.io uncovered a suspected China-linked intrusion in which Claude Code and DeepSeek-v4-pro ran as working parts of the attack. Claude Code served as the execution engine — agentic tool use, bash execution, session persistence, task parallelization — while DeepSeek-v4-pro handled the offensive reasoning and script generation. Researchers found an exposed open directory holding 2,431 files across 80 subdirectories, including victim source code, exploit scripts, cloned login pages, and operator logs in Simplified Chinese. Targeting spanned Taiwan, Thailand, Afghanistan, and reconnaissance-only activity against the United States. Hunt.io stops short of naming a specific group, assessing the activity as consistent with China-based threat-actor behavior.
Related dispatches

Keep reading on AI security and governance.