AI coding agents have become powerful enough to be genuinely useful, but the attack surface they've opened is growing faster than security controls to protect them. Developers are adopting these tools at scale without fully understanding the threat model. The proliferation of AI coding agents across platforms and workflows is creating a new class of supply-chain vulnerabilities that exploit the trust developers place in their tools. Security is lagging adoption by months, and the industry is still learning what "safe agent deployment" actually means.

Agents Are Now a Legitimate Attack Vector

The proof is no longer theoretical. Researchers at Tenet Security demonstrated how an attacker could hijack AI coding agents into running arbitrary code on a developer's machine by planting a single fake-error report in a public bug tracking service. The attack worked against widely used AI coding assistants including Claude Code, Cursor, and Codex. This is not a hypothetical edge case. This is a working exploit against tools developers are shipping code with every day.

The attack surface is real because agents are designed to be autonomous. They read repositories, parse error logs, fetch dependencies, and execute code. Each of those actions is a potential injection point. An attacker doesn't need to compromise the agent itself. They just need to compromise the data the agent trusts.

Prompt Injection and Indirect Compromise Are the New Normal

Mozilla 0DIN researchers showed how a clean GitHub repository containing no malicious code can launch an attack and fully compromise a developer's systems by using indirect prompt injections to trick AI-powered coding agents like Claude Code into taking steps that hand control to attackers. The attack chains routine agent actions to give threat actors shell command access and persistence on a targeted developer system. All of this happens without warnings.

This is the new normal. Indirect prompt injection is not a fringe concern anymore. It's a working attack vector against production tools. The vulnerability exists because agents are designed to read and act on unstructured data from the environment. README files, issue comments, dependency metadata, and error messages are all potential attack surfaces.

Developers are not trained to think of these inputs as hostile. They are trained to think of them as context. That gap between expectation and reality is where attacks live.

Vibe Coding Scales Faster Than Security Practices

Research found that 181,000 mobile games launched in six months to May 2026, up 118% on iOS and 73% on Android compared to the same period last year, much of that surge driven by vibe-coding where people with little to no programming knowledge can ship code. This is not a story about game development. This is a story about velocity outpacing governance.

When vibe coding scales, the people using these tools are not security engineers. They are builders who want to ship fast. They are not thinking about threat models. They are thinking about feature velocity. That's not a character flaw. That's how adoption works. But it means the security burden falls on the tools, not the users. And the tools are not ready.

Mobile Agents Expand the Threat Surface

Cursor, reportedly acquired by SpaceX, launched a public beta of its first iPhone and iPad app, giving paid subscribers a way to start, monitor, and review AI coding agents from mobile devices. This is a significant shift. Agents are no longer confined to developer machines in controlled environments. They are now running on mobile devices, syncing to cloud infrastructure, and operating across networks that developers do not control.

Mobile agents introduce new attack vectors. The device is less secure than a developer's laptop. The network is less secure. The authentication model is different. The data at rest is different. Each of these changes expands the threat surface. And the security model has not caught up.

MCP Servers Add Capability and Risk in Parallel

Siteimprove launched its Model Context Protocol (MCP) Server with connectors to Anthropic Claude, Lovable, VS Code and Figma, pushing compliance checks upstream into the AI tools where designers, developers and marketers now build digital experiences. MCP servers are a powerful abstraction. They let agents access external systems and data sources. They also let attackers access those same systems and data sources.

Each MCP server is a new capability. Each new capability is a new attack surface. The industry is adding capabilities faster than it is adding security controls. This is not a criticism of MCP. It is a statement of fact. The protocol is well-designed. The security model is not mature.

The Trust Problem Developers Haven't Solved Yet

The core issue is trust. Developers trust their tools. They trust the repositories they clone. They trust the dependencies they install. They trust the error messages their agents read. That trust is the foundation of the attack surface.

AI agents are maturing, but security is not. The industry is still learning what "safe agent deployment" actually means. There are no standards for agent sandboxing. There are no standards for input validation. There are no standards for audit logging. There are no standards for rollback.

What exists instead is a patchwork of assumptions. Developers assume their agents are safe because they come from trusted vendors. Vendors assume developers understand the threat model. Security teams assume they can govern agents the same way they govern developers. None of these assumptions are correct.

The path forward requires three things. First, agents need runtime isolation. They need to run in sandboxes with explicit capability boundaries. Second, agents need input validation. They need to treat all external data as potentially hostile. Third, developers need threat modeling. They need to understand what an agent can do and what an attacker can make it do.

This is not a problem that will solve itself. The tools are too useful. The velocity is too high. The adoption is too broad. Security will have to be built into the infrastructure, not bolted on after the fact. Agents write code faster than teams can govern it. That gap is where the real risk lives.