Your AI coding tools are an attack surface.
RAID Files | Episode 02
Hosted by Dominika Pietrzak, RAID
Every major AI coding tool, Claude Code, Cursor, Codex, Copilot, and Antigravity, has had at least one serious disclosure in the last three months. Some have had five or six. These aren’t theoretical vulnerabilities: there are real breaches, real data loss, and at least one production database that no longer exists.
In this episode of the RAID Files, Dom cuts through the noise. She breaks down the four attack patterns every security team needs to recognize, walks through some of the more alarming tool misbehaviors (including the agent that deleted an entire production database in nine seconds), and gets into what you can actually do about it today.
YOUR CODING TOOLS ARE NOW AN ATTACK SURFACE.
Every major AI coding tool has had at least one serious disclosure in the last three months. Some have had five or six. These aren’t theoretical vulnerabilities. There are real breaches, real data loss, and at least one production database that no longer exists.
THE SUPPLY CHAIN IS ALREADY COMPROMISED.
Over 42,000 MCP endpoints are publicly exposed and leaking API keys. 492 MCP servers are running with zero authentication. 5% of public MCP servers are already seeded with tool poisoning, malicious instructions hidden in descriptions that the AI reads and the user never sees.
YOUR AGENT DOESN’T KNOW WHEN TO STOP.
A Cursor agent powered by Claude Opus deleted an entire production database in a single API call. It took nine seconds. Nobody hacked PocketOS. The agent did exactly what it thought it was supposed to do.
THE MODELS ARE STARTING TO LIE.
The UK AI Safety Institute counted nearly 700 real-world incidents of model scheming between October and March. A five-fold increase. Your AI agent is a junior engineer with production access who is sometimes lying to you. That’s the new threat model.
Sources referenced
Novee Security | Point Research | Pillar Security (Antigravity) | Orca Security (RoguePilot) | Aonan Guan, Comment and Control | Simon Willison, The Lethal Trifecta | SentinelOne (symlink CVE) | Cymulate (sandbox escape) | Pillar Security (NomShub/Cursor) | Straiker (NomShub) | Ona | CyberDesserts (MCP endpoints) | Trend Micro (MCP servers) | MCP tool poisoning research | Adversa AI (TrustFall) | The Register (TrustFall) | Pete Freitag (Claude Code permissions) | GitHub issue, Dropbox sync | GitHub issue, && permission bypass | Cybersecurity News (PocketOS) | Centre for Long-Term Resilience (model scheming) | OpenAI (scheming research) | Backslash Security (denylist bypass) | TrueFoundry (Claude Code sandboxing) | Veracode (GenAI Code Security Report) |