The shell builtin bypass is the detail that makes this really interesting. Most sandbox implementations focus on blocking known-dangerous executables but completely overlook that export, cd, source, and eval are handled by the shell interpreter itself and never show up as process executions. It's the same class of oversight you see in WAFs that filter paths but miss URL-encoded traversals. The cursor-tunnel abuse for C2 is also worth highlighting — legitimate signed binaries being repurposed for persistence is a pattern straight out of the APT playbook (LOLBins), and the fact that it blends with normal dev tunnel traffic makes detection genuinely difficult at the network layer. Curious whether anyone has looked into whether similar builtin-chaining attacks work against other AI coding editors with sandbox models.