Last Week in AppSec for 26. February 2026

This Checkmarx report details multiple high-risk issues in AI developer tools: Claude Code hook and MCP configuration vulnerabilities (CVE-2025-59536 and CVE-2026-21852) that allow remote command execution via malicious repository files, and a GitHub Copilot prompt-injection technique in Codespaces that can exfiltrate GITHUB_TOKEN values. The article explains attack mechanics, points to researcher write-ups, and recommends mitigations such as updating software, treating config changes with high scrutiny, and heeding trust dialogs.