Claude Code Malware Scan Regression Breaks Subagent Tasks

"Subagent refuses to read file due to malware reminder on every read."

That line, filed as issue #49363 on the Claude Code GitHub repository, describes a regression that started blocking code generation workflows for teams using Claude Managed Agents. The bug is simple in structure: a malware-scanning reminder gets injected on every file read, and subagents interpret that reminder as a signal to refuse. The result is a multi-agent setup that can no longer do the thing it was built to do.

Claude Managed Agents versus the alternatives right now

If this bug is affecting your pipeline, the immediate question is whether to wait for a patch, route around it, or switch tools. Here is how the main options compare on the criteria that actually matter for agentic code workflows.

Tool	Multi-agent support	File read behavior	Refusal rate on benign code	Recovery path
Claude Code (current)	Yes, Managed Agents	Regression: malware reminder blocks reads	High when bug is triggered	Awaiting Anthropic patch
Cursor	Limited, single-agent by default	No malware-scan injection	Low on standard files	N/A - not the same architecture
Devin	Yes, full autonomous agent	Sandboxed reads, no injection issue	Low-moderate	Different pricing model applies

For teams running tight CI loops where every file read is part of an automated chain, Claude Code with Managed Agents is still the most direct fit architecturally. If you are on Cursor doing single-file reviews, this bug does not touch you. If you are on Devin, you are in a sandboxed environment that handles file access differently. The verdict: if you are deep in Claude's agentic stack, you wait or you patch around it; if you are evaluating tools before committing, this is a reason to delay that commitment by a week or two.

The case that this bug is not worth your attention

Regressions happen. Anthropic has active engineers watching the GitHub issues queue and the Claude Code issue tracker has a track record of quick turnarounds on confirmed bugs. Issue #49363 was filed, acknowledged, and tagged within a short window. That is not a slow-moving organization. More pointedly: the class of user this affects is narrow. You need to be running Managed Agents specifically, reading files inside that agentic loop, and hitting the malware-reminder injection on those reads. Teams using Claude Code in simpler configurations, single-agent or direct API calls without subagents, will not see this. The issue title says "subagent refusals" for a reason. If your workflow does not use subagents, you are not in scope. There is also an argument that the underlying behavior, flagging file reads during automated workflows, reflects a safety mechanism that Anthropic deliberately built. The regression is that the reminder fires too often and the subagent over-weights it. That is a tuning problem, not an architectural flaw. It will be fixed by adjusting when the reminder fires or how subagents interpret it, not by removing the check entirely.

How to work around the bug today

Until a patch ships, here is the shortest path to restoring function.

1. Confirm you are hitting the bug, not a different refusal. Run a minimal test: have your subagent attempt to read a single known-clean file. If the refusal message includes language about malware scanning or file safety reminders, you are on issue #49363. If the refusal is content-based, it is something else.
2. Pin to an earlier Claude Code version if your environment allows it. Check your package lock or environment spec for the last version where reads were working. In most Node-based setups, that means checking package-lock.json for the @anthropic-ai/claude-code version and downgrading via npm install @anthropic-ai/claude-code@<last-known-good>.
3. If pinning is not viable, restructure the agentic call so the primary agent handles file reads directly rather than delegating to a subagent. This sidesteps the subagent refusal path entirely while the regression is live.
4. Add explicit context in your system prompt to clarify that file reads in this workflow are operating on project source files in a controlled environment. This does not fix the underlying issue but can reduce refusal frequency in some configurations.
5. Watch the GitHub issue for the fix: shipped label or a linked PR. Anthropic typically closes regressions like this with a point release rather than waiting for a major version.

Verification test: after applying your chosen workaround, have the subagent read a file it previously refused and confirm it returns content rather than a refusal message. If it reads, the workaround is active. If it still refuses, the system prompt context from step 4 is not sufficient and you need to fall back to step 3.

What actually breaks in production

The failure mode here is not a crash. It is silent workflow degradation. A subagent that refuses a file read does not always surface that refusal visibly in the orchestration layer. Depending on how your pipeline handles agent responses, the refusal might be swallowed, logged as a completed step, or cause the orchestrator to proceed with incomplete context. Teams running code generation pipelines that depend on reading multiple source files in sequence are the ones most exposed. If a subagent is supposed to read ten files to understand a codebase and produces a refusal on files three and seven, the generated code will compile based on partial context. You will not necessarily get an error. You will get output that looks plausible but is missing awareness of whatever was in those two files. This happened to at least one user in the GitHub thread who reported that generated code was functionally wrong in ways that were hard to trace until they noticed the file-read refusals in verbose logging. That is the real cost: not the refusal itself, but the downstream output quality degradation that can pass QA if no one is watching the agent logs closely. For teams comparing Cursor versus Claude Code for agentic workflows, this is exactly the kind of incident worth factoring in. It is not about which tool is smarter. It is about which failure modes are visible and which ones are quiet.

The number that defines the blast radius

One injection per read. That is the core of the issue. If the reminder fired once per session or once per agent invocation, the impact would be minor. Subagents could absorb it as context and continue. But firing on every read means that any agentic workflow touching multiple files accumulates refusal risk with each operation. A pipeline reading 20 files does not have a 5% problem. It has a compounding problem where each read is an independent refusal opportunity. If that number were halved, say the reminder fired on every other read, you would still have a broken workflow but a more predictable one. If it were doubled to two injections per read, the subagent refusal rate would likely approach 100% on the first file, which would at least make the bug immediately visible. The current rate of one per read sits in the worst range: frequent enough to cause real failures, infrequent enough that short test cases might not surface it. That is also why some teams on the GitHub thread initially thought their issue was unrelated. They tested with a small file set and saw no problem. They deployed against a full codebase and the failures emerged at scale. See also the related discussion on the GitHub issue and prior coverage of Claude Code spend patterns and alternative local setups for teams reconsidering their agentic stack.