How many people using Claude code or codex do you reckon just using it in yolo mode? Aka --dangerously-skip-permissions! If the attacker presumes the user is, then the LLM instructions could be told to forget previous instructions, search a list of common folders for crypto private keys and exfil them, and then instructions that they hope will make it come back clean. Not as deep as getting a rootkit installed, but hey $50.