Lasso Security — Open-Source Claude Code Prompt Injection Defender

AI relevance: Lasso Security releases an open-source PostToolUse hook for Claude Code that detects indirect prompt injection in tool outputs at runtime — a practical defense layer for the most dangerous attack surface in agentic coding tools.

• Lasso Security published claude-hooks, an open-source solution that adds runtime prompt injection detection to Claude Code via PostToolUse hooks.
• The defender intercepts tool outputs (file reads, web fetches, MCP responses) before Claude Code processes them, scanning for known injection patterns.
• Four injection categories are detected: instruction overrides ("ignore previous instructions"), role-playing/jailbreaks, encoding/obfuscation (Base64, leetspeak, zero-width characters), and context manipulation (fake admin messages, forged system prompts).
• The research demonstrates indirect prompt injection attack vectors: poisoned README files in cloned repos, malicious web pages fetched during research, and trojan MCP server responses.
• The fundamental problem identified: Claude Code processes untrusted content (web pages, code comments, API responses) with the same privileges as user instructions.
• With --dangerously-skip-permissions, there is no human checkpoint to catch suspicious behavior — making runtime detection the only remaining defense layer.
• Anthropic's built-in injection resistance is acknowledged as imperfect: novel techniques, volume attacks, and context-dependent payloads still slip through.

Why it matters

Claude Code's power — reading entire codebases, executing shell commands, fetching web pages — is also its greatest vulnerability. Every tool output is a potential injection vector. PostToolUse hooks provide a defense-in-depth layer that Anthropic's built-in safeguards alone cannot guarantee, especially for users running autonomous sessions with permissions bypassed.

What to do

• Install Lasso's claude-hooks if you run Claude Code with --dangerously-skip-permissions or in any semi-autonomous mode.
• Audit which MCP servers your agents connect to — each is a trust boundary and potential injection vector.
• Treat cloned repositories as untrusted until scanned; injection payloads can hide in markdown files, code comments, or documentation pages.
• Consider running injection detection hooks as a mandatory layer for any production agentic coding workflow, regardless of the model's claimed safety training.

Sources

• Lasso Security — "The Hidden Backdoor in Claude Code"
• GitHub — lasso-security/claude-hooks
• Lasso Security — Prompt Injection Taxonomy & Techniques