Claude Code Daily Briefing - 2026-05-20

Release Summary

Full Release Notes

New Features & Practical Usage

v2.1.144 — Exact Edit Matching, Background Session Integration, Plugin Loading Expansion (5/18)

v2.1.144 significantly improves tool reliability and session management.

Exact String Replacement in Edit Tool: The Edit tool now performs exact string replacements, preventing unintended partial matches. This dramatically improves reliability when editing large files.

/resume Shows Background Sessions: /resume now lists background sessions (started via --bg or Agent View) alongside interactive ones, tagged with bg for easy identification.

/model Is Session-Only by Default: /model now only affects the current session. Press d in the model picker to set a default for all new sessions. This means experimental model switches won’t bleed into other sessions.

Zip/URL Plugin Loading: Plugins can now be loaded directly from zip files or URLs — useful for distributing internal plugins without a registry.

Ctrl+R Cross-Project History Search: Ctrl+R now searches history across all projects, not just the current one.

Hard Deny Rules for Auto Mode: You can now configure deny rules that block specific commands from ever executing in auto mode, structurally preventing dangerous commands from being auto-approved.

75s Startup Hang Fixed: Startup no longer hangs up to 75 seconds when api.anthropic.com is unreachable (captive portals, firewalls, VPNs) — side-channel API calls now timeout correctly at 15 seconds.

# /model session-only vs default
# Current session only: /model → select model
# All new sessions: /model → select model → press d

GitHub v2.1.144 | Changelog

Code with Claude London Extended — Today (5/20)

Following the Code with Claude London main event (5/19), the Extended session runs today. It targets indie developers and early-stage startups with hands-on workshops and 1:1 office hours. The main event featured three parallel tracks: Research, Claude Platform, and Claude Code. Recordings will be published later.

Next up: Tokyo (6/10) main event and Tokyo Extended (6/11).

London Extended | Tokyo Registration

Developer Workflow Tips

/model Session-Only Switch — Model Strategy Made Easy

With v2.1.144 making /model session-only, it’s now natural to use different models per session. Use Opus for architecture design, Sonnet for boilerplate generation, and Haiku for documentation — while keeping your default set to your most-used model.

# Set default model to Opus (one-time)
# /model → select opus → press d

# Use Sonnet for this session only (won't affect others)
# /model → select sonnet

The key principle: “defaults stay safe, sessions stay flexible.” You can safely A/B test models without affecting other sessions.

Claude Code Changelog

Hard Deny Rules — Structurally Block Dangerous Commands in Auto Mode

When running Claude Code in auto mode (--dangerously-skip-permissions or auto-accept), hard deny rules in v2.1.144 provide a structural safety net. Specific command patterns are blocked at the execution layer — even if Claude proposes them, they simply won’t run.

This is especially critical for CI/CD pipelines and unattended agent execution. Combine with Hook exit code 2 (block) for defense in depth.

Claude Code Docs

Security & Limitations

TrustFall — One-Click MCP RCE Across 4 AI Coding Tools (5/7)

Security firm Adversa AI disclosed TrustFall, a supply-chain vulnerability affecting Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI simultaneously. Opening a malicious repository and pressing Enter once is enough for arbitrary code execution.

Attack mechanism: A malicious repo includes MCP server configuration. When a user approves the trust prompt, the MCP server launches as a native OS process with full user privileges — no sandbox, no directory restriction, no filesystem confinement.

Impact: Reading SSH keys, tokens, and secrets; accessing other projects; installing backdoors; establishing C2 connections.

Recommendations:

• Never blindly approve trust prompts on unfamiliar repositories
• Inspect .mcp.json files in cloned repos before opening
• Pre-validate MCP configurations in CI environments using auto-approve

Dark Reading | Help Net Security | Adversa AI

Claude Code OAuth Token Theft via MCP Hijacking (5/16)

Security firm Mitiga demonstrated how Claude Code OAuth tokens can be stolen through MCP proxy hijacking. A malicious npm package’s lifecycle hook modifies the MCP server configuration in ~/.claude.json to point to an attacker’s proxy. Every time Claude Code initiates an MCP session, the token is forwarded to the attacker.

Persistence is key: Token rotation doesn’t help — the hook rewrites the token on the next load. Fixing the MCP URL is also reverted by the hook.

Anthropic’s response: Reported on 4/10, Anthropic replied on 4/12 that it was “out of scope,” stating the user had already consented to the behavior.

Recommendations:

• Regularly audit mcpServers entries in ~/.claude.json
• Consider --ignore-scripts when installing npm packages
• Monitor MCP server proxy settings for unauthorized modifications

SecurityWeek | Mitiga | eSecurity Planet

Ecosystem & Plugins

Anthropic Pursuing $900B Valuation with $30B Fundraise (5/12)

Anthropic is in talks to raise $30 billion at a valuation exceeding $900 billion. Greenoaks, Sequoia, Altimeter, and Dragoneer are co-leading, each investing $2B+.

Context: This is a 2.4x jump from the $380B Series G valuation just 3 months ago in February. The company has reached $30B in annualized revenue. If finalized, Anthropic would surpass OpenAI ($850B) as the world’s most valuable private company.

For developers, this signals continued capacity expansion for Claude Code — more compute means higher limits and better availability.

Bloomberg | TechCrunch

Google I/O 2026 — Gemini 3.5, Antigravity CLI Debut (5/19–20)

Google I/O 2026 introduced direct competitors to Claude Code’s territory:

• Gemini 3.5 Flash: Surpasses 3.1 Pro in coding, agentic tasks, and multimodal benchmarks
• Antigravity 2.0 + CLI: Subagent orchestration with built-in cross-platform terminal sandboxing, credential masking, and hardened Git policies
• Gemini API Managed Agents: Spin up agents with a single API call — reasoning, tool use, and code execution in isolated Linux environments

Antigravity CLI is a direct Claude Code competitor, and its built-in terminal sandboxing is notably Google’s answer to security issues like TrustFall.

Google Developers Blog | 9to5Google

Community News

• Anthropic hits $30B annualized revenue: Disclosed as the basis for the $900B valuation. Enterprise Claude Code adoption (PwC 30,000 users, Uber 84% engineer penetration) is driving the revenue surge. Bloomberg

• AI coding tool market reshapes into 4-way race: With Google launching Antigravity CLI + Managed Agents at I/O 2026, the market is now Anthropic (Claude Code), Google (Antigravity), OpenAI (Codex), and GitHub (Copilot CLI). Each has distinct strengths — Claude Code leads in agentic workflows, Antigravity in sandboxing, Codex in GitHub integration. Google Developers Blog

• “extra usage” renamed to “usage credits”: In the Claude Code CLI, /extra-usage is now /usage-credits. The old command still works, but update any documentation or scripts referencing it. GitHub v2.1.144

Minor Changes

• Edit exact matching: Partial match errors eliminated — prevents unintended edits in large files (v2.1.144)
• head/tail satisfies read-before-edit: Partial file reads via head/tail now count as the read-before-edit prerequisite (v2.1.144)
• grep “no matches” no longer errors: Exit code 1 from egrep, fgrep, git grep, or git diff is no longer reported as a command failure (v2.1.144)
• /branch fix: “No conversation to branch” error after entering a worktree or in some background sessions resolved (v2.1.144)
• macOS Full Disk Access crash fix: FDA-related crash resolved (v2.1.144)
• MCP paginated tools/list fix: Improved handling of paginated tool list responses from MCP servers (v2.1.144)

Recommended Reads

• “TrustFall: AI Coding Agents Could Fuel Next Supply Chain Crisis”: The key insight from Adversa AI’s research is that MCP’s trust model wasn’t designed at the filesystem level. The fact that 4 major tools share the same structural vulnerability suggests this is a protocol design limitation, not individual product bugs. Essential reading for anyone running AI coding tools. SecurityWeek | Adversa AI

• “How Claude Code Works in Large Codebases”: Anthropic’s official guide to the Harness architecture. The thesis: performance depends on the 5 infrastructure layers (CLAUDE.md, Hooks, Skills, Plugins, MCP) more than the model itself. Practical advice includes reviewing settings every 3-6 months and designating a DRI (Agent Manager). Claude Blog

• “Code with Claude — The 5 Biggest Updates Explained”: Lenny’s Newsletter breaks down Managed Agents, Routines, Dreaming, Outcomes, and Multiagent Orchestration in accessible terms, focusing on how each feature changes real team workflows. Lenny’s Newsletter

Interesting Projects & Tools

• awesome-claude-plugins — Curated Claude Code Plugin Directory: A community-maintained repository by ComposioHQ cataloging Claude Code plugins across custom commands, agents, hooks, and MCP servers. Well-organized by category for quick discovery. GitHub

• claude-code-system-prompts — Full System Prompt Tracking: Piebald-AI tracks Claude Code’s complete system prompts, 27 built-in tool descriptions, subagent prompts (Plan/Explore/Task), and utility prompts per version. Invaluable for understanding Claude Code’s internal behavior and optimizing your workflows. GitHub