AI Coding Roundup — June 23, 2026: Claude Code, OpenCode & Agentjacking

The pace of AI coding tool updates shows no sign of slowing. On June 22, Anthropic shipped Claude Code v2.1.186 with long-awaited MCP server authentication commands and tighter auto mode safety guards. OpenCode followed with v1.17.9, adding GLM-5.2 thinking variants and improved agent step limit handling. Meanwhile, a new attack vector called Agentjacking is targeting developers' unconditional trust in AI assistants — with an 85 per cent exploitation rate across 2,388 organisations.

Claude Code v2.1.186 — MCP Auth Commands, Plugin Skills & Auto Mode Safety

The June 22 release of Claude Code is the most feature-packed in weeks. The headline addition is native MCP server authentication: running claude mcp login <name> opens an OAuth flow to authenticate against an MCP server, and claude mcp logout <name> clears those credentials. Both commands accept the --no-browser flag for headless and SSH-only environments — a common ask from teams running Claude Code on remote development boxes.

Studio users now see a dedicated Skills section inside the Installed tab, making it easier to browse and invoke plugin-provided skills without leaving the interface. A companion teammateMode: "iterm2" setting extends the teammate workflow to Apple Terminal users, opening a side-by-side iTerm2 pane on command. The Workflows agent detail view also gains status filtering via the f key, making it easier to monitor long-running multi-agent jobs.

For power users: prefixing any shell command with ! in the chat input now triggers an automatic Claude response once the command completes — ideal for quick feedback loops after running tests or builds. The behaviour is opt-out via the new "respondToBashCommands": false project setting. Stability fixes include streaming resumption after device sleep, subagent transcript corruption that was causing partial session loss, and an alignment fix for multi-line permission prompts.

OpenCode v1.17.9 — GLM-5.2 Thinking Variants and Agent Step Limits

OpenCode v1.17.9, released June 21, brings two important developer-facing additions. First, the tool now supports GLM-5.2 thinking variants — extended reasoning chains from the GLM model family that expose the agent's intermediate reasoning before it commits to a code change, giving you visibility into why a suggestion was made. Second, agent step limit handling has been improved to prevent runaway agentic sessions from consuming unbounded tokens and compute budget.

Under the hood, Devstral model detection was fixed for providers that surface the model under non-standard endpoint paths. MCP tool schema handling was also tightened to avoid silent failures when a server returns multi-type field definitions — a compatibility issue that was causing certain tools to silently drop from the context. The TUI gains keyboard shortcut optimisations for subagent workflows, reducing the keystrokes needed to inspect and resume background agents.

Devin Desktop v3.2.16 — Plugin System Preview for Enterprises

Devin Desktop — formerly Windsurf, rebranded by Cognition on June 2 — shipped v3.2.16 on June 16 with a significant enterprise feature: the Devin Plugin System. Currently in opt-in preview for enterprise customers, plugins extend Devin Local (the on-premises variant) with custom tool and workflow integrations. The release builds on the v3.0 foundation that introduced the open Agent Client Protocol (ACP) as the default surface, replacing the traditional code editor UI with an agent-first command centre.

Agentjacking — The Security Threat Exploiting AI Agent Trust

Security researchers have documented Agentjacking, a new attack class that has achieved an 85 per cent exploitation rate across 2,388 targeted organisations. The attack exploits the same behavioural trait that makes AI coding agents effective: developers have trained themselves to trust agent-generated instructions. When Claude Code, GitHub Copilot Workspace, or a similar tool tells you to run a command, most developers execute it without reviewing the underlying action — that unconditional trust is the exploit surface.

The attack injects malicious instructions into artefacts the agent reads — README files, tool call descriptions, inline documentation, or MCP server responses — causing the agent to relay those instructions to the developer as if they were its own recommendations. Practical mitigations include reviewing every agent-proposed shell command before execution, leveraging Claude Code's destructive-command blocking (introduced in v2.1.183 and active by default in auto mode), and auditing every MCP server your workspace connects to for untrusted content sources.

Resources & Further Reading

Claude Code Official Changelog — full release notes for v2.1.186 and all prior versions.

OpenCode Changelog — v1.17.9 and the full version history.

Devin Desktop Release Tracker (Havoptic) — v3.2.16 plugin system details and ACP architecture overview.

AI News Today — June 22, 2026 — Agentjacking coverage and broader AI ecosystem updates.

Releasebot — Claude Code Update History — automated tracking of every Anthropic release note since launch.

The New Stack — Cursor, Claude Code, and Codex Merging into One Stack — analysis of how the AI coding tool ecosystem is converging in 2026.