If your developers are using AI coding assistants, and statistically, they are, you now have an attack surface that didn’t exist 18 months ago.
This isn’t a theoretical concern. The last two weeks have produced a steady stream of real-world demonstrations showing exactly how AI agents get compromised, and the results aren’t subtle.
What Happened This Month #
PleaseFix zero-click exploits. Researchers demonstrated live at RSAC 2026 that agentic browser tools can be hijacked for full account takeover, no user interaction required. The AI agent does what it’s told, and the attacker is the one telling it.
140,963 security issues across 22,511 AI coding agent skills. A large-scale audit found that the plugins and extensions powering AI coding tools are riddled with vulnerabilities. These aren’t edge cases, it’s the ecosystem itself.
87% of AI-generated pull requests introduce vulnerabilities. DryRun Security’s analysis found that the vast majority of code produced by AI agents ships with security flaws. The tools developers use to move faster are generating insecure code at scale.
Hidden README instructions leak data 85% of the time. Researchers showed that simply embedding instructions in a repository’s README file causes AI agents to exfiltrate data in 85% of cases. If your AI agent reads a repo, it can be manipulated by that repo.
Nation-state exploitation at machine speed. Reports surfaced of Chinese state actors using AI coding tools with Model Context Protocol for autonomous attacks. This isn’t script kiddies, it’s sophisticated operators using your development tools as offensive infrastructure.
Why This Is Different From the AI Threat Conversation #
The security industry has been talking about AI threats for years, AI-generated phishing, AI-assisted vulnerability discovery, AI-powered malware. Those are real concerns, and I wrote about them earlier this month.
But this is a different problem. This isn’t about attackers using AI. It’s about the AI tools your own teams are deploying becoming the entry point. The attack surface isn’t theoretical, it’s the tools sitting on your developers’ machines right now, with filesystem access, network access, and the ability to execute code.
What Most Organizations Are Missing #
AI agents aren’t traditional software. They don’t have predictable behavior. They respond to inputs, including malicious ones, in ways that are difficult to anticipate and hard to audit. Traditional application security approaches don’t map cleanly to tools that interpret natural language and take autonomous actions.
Prompt injection is the new injection. SQL injection had its decade. Now prompt injection is the vector, and it’s hitting developer tools, browser agents, and coding assistants. The difference is that prompt injection doesn’t require a vulnerable endpoint, it just requires content that the AI agent reads.
There’s no governance framework. Most organizations adopted AI coding tools bottom-up. Developers started using them, and security teams weren’t involved. That means no inventory of which AI tools are running, no policy on what they can access, and no monitoring of what they’re doing.
What to Do About It #
Inventory your AI tooling. Know which AI coding assistants, browser agents, and plugins your developers are running. You can’t secure what you can’t see.
Restrict filesystem and network access. AI agents don’t need access to your entire codebase or internal network. Apply least privilege the same way you would for any other tool with code execution capabilities.
Treat AI-generated code as untrusted. Every AI-generated pull request should go through the same security review process as code from a new contractor. Automated SAST and dependency scanning are the minimum.
Monitor for prompt injection. If your AI tools interact with external content, repositories, documentation, web pages, that content can contain adversarial instructions. Build detection for anomalous AI agent behavior.
Establish an AI tool policy. This isn’t about banning AI tools. It’s about deploying them deliberately, with security controls, instead of letting adoption happen by default.
The Bottom Line #
AI coding tools deliver real productivity gains. That’s not in question. But productivity tools with code execution, filesystem access, and network connectivity are also security tools, whether you intended them to be or not. Treat them accordingly.