RSS

When Background AI Agents Become a Security Boundary Problem

lucasluitjes1 pts0 comments

When Background AI Agents Become a Security Boundary Problem | Origin

← Back to ResearchWhen Background AI Agents Become a Security Boundary Problem<br>2026-05-25 · Ben Gabay<br>li]:py-[4rem] [&_ul>li]:px-[8rem]<br>[&_ol]:mx-[16rem] [&_ol]:my-[4rem] [&_ol]:list-decimal [&_ol]:text-[15px] [&_ol>li]:py-[4rem] [&_ol>li]:px-[8rem]<br>[&_blockquote]:my-[24rem] [&_blockquote]:pl-[16rem] [&_blockquote]:border-l-[3rem] [&_blockquote]:border-[#999] [&_blockquote]:text-[#555] [&_blockquote]:italic<br>[&_pre]:text-[12px] [&_pre]:leading-[1.4] [&_pre]:block [&_pre]:p-[12rem] [&_pre]:bg-[#F6E9D8] [&_pre]:overflow-auto [&_pre]:border [&_pre]:border-[#E6D9CE]<br>[&_:not(pre)>code]:text-[13px] [&_:not(pre)>code]:bg-[#d8d8d8] [&_:not(pre)>code]:px-[4rem] [&_:not(pre)>code]:py-[1rem] [&_:not(pre)>code]:rounded-[4rem] [&>p>code]:only:block [&>p>code]:only:p-[12rem] [&>p>code]:only:bg-[#F6E9D8] [&>p>code]:only:overflow-auto<br>[&_img]:max-w-full [&_img]:h-auto<br>overflow-hidden<br>">Introduction<br>Modern dev environments are full of powerful agentic tools that security teams don't fully understand yet. Claude Code is one of the most capable - it runs code, reads files, fetches content from the internet, executes commands, and can also run persistent background sessions that live beyond the lifetime of the terminal and are managed by a supervisor process. The same features that make it powerful for developers make it interesting for attackers. In this post, we will show how we utilize different Claude Code features to create a mostly invisible, persistent C2-like agent using only Markdown and JSON files after one-time local code execution on the target machine.<br>Discovery<br>This post started from a conversation with my colleague Mitchell Turner, the author of Brainworm which is a must-read!. He'd been experimenting a bit with the new agents view feature Anthropic released with Claude-Code version v2.1.139. And noticed something worth digging into further.<br>Agent view, opened with claude agents, is one screen for all your background sessions.<br>Anthropic Official Documentation

The Parts That Make It Possible<br>Claude-Code contains a lot of different features that make all of this possible.<br>Background Sessions<br>Background sessions were introduced in version v2.0.60. They allowed users to set up a long-running task to continue in the background while they kept doing some other work.<br># Start a background session<br>claude --bg "prompt to Claude."

# Open the new agent view (v2.1.139+)<br>claude agents

# Reattach to a session<br>claude attach

If you used background sessions before v2.1.139 and closed the terminal, the background session ended. That is not the case starting from version v2.1.139 due to something Anthropic refers to as the "supervisor process."<br>Under the Hood - The Supervisor Process<br>When a background session is first requested, a supervisor process spawns automatically via an undocumented claude daemon subcommand. All subsequent background sessions run as worker processes parented to this supervisor, not to any user shell.

The practical implication is straightforward. The session lifecycle is no longer tied to the terminal that created it. Closing a terminal, ending an SSH connection, or starting a new shell session has no effect on running background sessions. The supervisor manages them.<br>Some Reverse Engineering of the Undocumented Daemon Process (version 2.1.144)<br>Using codex and ghidra-mcp (Bethington-ghidra-mcp a maintained fork of the popular Laurie-ghidra-mcp.) I analyzed the daemon process, which acts like a small local control plane. When the user runs commands like claude --bg, claude agents, claude attach, etc.. The Claude CLI talks to the supervisor daemon over a local IPC channel. The daemon then manages the actual background Claude worker processes. On Windows, this IPC is implemented with named pipes. Claude stores a pipe namespace key in: ~\.claude\daemon\pipe.key. The pipe names follow this pattern:<br>\\.\pipe\cc-daemon--control - 1 per daemon process<br>\\.\pipe\cc-daemon--rv- - 1 per live worker<br>\\.\pipe\cc-daemon--pty- - 1 per live worker On macOS and Unix-like systems, Claude uses Unix domain sockets. The socket directory is derived from the active Claude config directory: /tmp/cc-daemon-/. For example, my user uid is 501, and my config path is /Users/ben/.claude, then the sockets will be found at: /tmp/cc-daemon-501/83caf64a Inside you will find:<br>control.sock - main daemon control channel<br>rv/.sock - 1 per live worker<br>pty/.sock - 1 per live worker

The control socket/pipe is the main management channel. This is what Claude commands use to ask the daemon things like: list sessions, attach to a session, stop a job, etc.. The communication protocol of the control socket/pipe is newline-delimited JSON. The messages include a protocol version and an operation name. Some of the operations recovered from the binary analysis include: list, dispatch, attach, subscribe, reply, kill, resize. The rv socket is daemon-to-worker lifecycle communication. The...

claude background code daemon _pre sessions

Related Articles

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.