On this page · 9 sections
Summary. Nine in ten security leaders are worried about the risks of AI-generated code, according to Salt Security research from May 2026, and the worry is earned. Veracode's analysis found that roughly 45% of AI-generated code samples introduce an OWASP Top 10 vulnerability. Adoption is not slowing: Gartner projects 90% of enterprise software engineers will use AI code assistants by 2028, up from under 14% in early 2024, as reported by The Hacker News. In 2026 the attacks moved up a level, from insecure output to the assistants themselves. GhostApproval, disclosed by Wiz, defeated the human approval prompt in six major tools including Claude Code, Cursor and Amazon Q Developer. The AI Now Institute's Friendly Fire tricked Claude Code and OpenAI's Codex into running attacker code during a security review. Cursor patched two 9.8-CVSS remote-code-execution flaws, and slopsquatting exploits the 19.7% rate at which models invent package names, where registering the malicious name costs an attacker $0. Prompt injection is now the second-most-reported pain point among nearly 2,850 developers surveyed in Q1 2026. This is a guide to the AppSec layer AI-assisted teams need, and how eCorpIT builds it.
The productivity is real; so is the exposure
AI coding assistants earned their place. They cut boilerplate, accelerate refactors and lower the cost of a first draft. The problem is not the productivity. It is that most teams bolted these tools onto a software delivery process whose security controls were designed for human-written code reviewed by humans.
The data shows the gap. Veracode reported that around 45% of AI-generated code introduces a known OWASP Top 10 weakness, and the Cloud Security Alliance has documented a measurable surge in vulnerabilities tied to AI-assisted and vibe-coded projects. ProjectDiscovery's 2026 AI Coding Impact Report found AI-generated code is outpacing security teams' ability to keep up. Meanwhile the tooling keeps getting more autonomous, which means more code reaches your repository with less human attention on each line, not more.
For an engineering leader the uncomfortable summary is this: the volume of code your organisation ships went up, the share written by a system that hallucinates went up, and the number of human eyes per change went down. That is the exact condition an attacker wants.
The 2026 shift: attacks on the assistant, not just its output
Through 2025 the concern was mostly quality, that AI writes insecure code. In 2026 researchers turned the assistant itself into the entry point. Several disclosures, weeks apart, show the pattern.
| Attack (2026) | Disclosed by | What it defeats | Tools shown affected |
|---|---|---|---|
| GhostApproval | Wiz | The human approval prompt (via symlink following) | Claude Code, Amazon Q Developer, Cursor, Google Antigravity, Augment, Windsurf |
| Friendly Fire | AI Now Institute | The model's own safety judgment | Claude Code, OpenAI Codex (autonomous mode) |
| DuneSlide (CVE-2026-50548/50549) | Cato Networks | The IDE sandbox (9.8 CVSS RCE) | Cursor, pre-3.0 versions |
| TrustFall | Adversa | Repo trust boundary (one-click RCE) | Claude Code, Cursor, Gemini CLI, Copilot CLI |
| Agentjacking | Tenet | Agent trust in issue trackers (85% hit rate) | Claude Code, Cursor |
| Slopsquatting | Multiple | The dependency supply chain | Any assistant that suggests packages |
Two of these deserve a closer look because they break the controls teams assume protect them. GhostApproval, in Wiz's disclosure, abuses symlink following, a decades-old file-system behaviour, to slip past the approval prompt that is supposed to keep a developer in the loop before an agent acts. Three of the six vendors Wiz tested had fixes in production before the 8 July disclosure, and AWS had already patched Amazon Q Developer's language server on 27 May in version 1.69.0, tracked as CVE-2026-12958.
Friendly Fire is the more structural warning. Researchers Boyan Milanov and Heidy Khlaaf at the AI Now Institute showed that Claude Code and Codex, running in an autonomous mode, could be pointed at a repository with a booby-trapped README that suggested running a routine "security check" script, and the agent would run the attacker's hidden binary on the host. As The Hacker News reported, one injection worked unchanged across two vendors and four models, and in some runs the newer models noticed the binary did not match its supposed source and ran it anyway. AI Now's conclusion is the line every engineering leader should sit with: the weakness "cannot be fixed with a model update, because the models still cannot reliably tell the code they are reading from the instructions they are meant to follow." The fix is a workflow change, not a version bump.
Why your default controls do not cover this
Most teams already run some application security. The issue is that the standard stack has blind spots exactly where AI-assisted development creates risk.
Approval prompts assume the thing being approved is what it appears to be; GhostApproval breaks that. Model guardrails assume the model can separate instructions from data; Friendly Fire breaks that. Static analysis is tuned for human bug patterns and misses the specific ways generated code fails, and it does nothing about a hallucinated dependency name. Dependency scanning that runs after merge is too late when an autonomous agent has already installed and executed a package. And credential hygiene that was fine for a developer's laptop becomes dangerous when an agent with access to cloud tokens, secrets and source control can be induced to run untrusted code. Slopsquatting alone, which exploits the roughly one-in-five rate at which models invent package names, is a supply-chain hole that no amount of code review inside your own repository will close, as covered in our guide to blocking AI-hallucinated packages in CI.
The AppSec layer AI-assisted teams need
Securing AI-assisted development is not one tool. It is a layer of controls placed where the AI toolchain actually touches your systems. Six components cover the surface these 2026 attacks exposed.
1. Threat-model the AI toolchain
Map every point where untrusted input can reach a tool that can run commands or write files: repositories, issue trackers, package registries, documentation, model context files. This is the exercise that would have flagged the README and issue-tracker vectors behind Friendly Fire and Agentjacking before they were incidents. It is also the foundation of the wider governance layers enterprise AI agents need.
2. Constrain agent autonomy and permissions
The single most effective change is to stop autonomous, self-approving agents from acting on code you do not control. Run agents with least privilege, keep production credentials out of agent environments, and require human review before an agent executes a script that only a README or docs file told it to run. This is the same discipline behind hardening AI coding agents against shell injection.
3. Close the dependency supply chain
Pin and hash-verify lockfiles, gate new dependencies behind an allowlist, and add CI checks that reject packages that do not exist or were published inside a cooldown window. These controls stop slopsquatting and typosquatting before an install reaches production.
4. Review AI output like untrusted input
Treat every AI-generated change as a change from an unreviewed contributor. Tune static and dynamic analysis for the failure modes of generated code, run OWASP Top 10 checks in the pipeline, and keep a human in the loop for security-relevant diffs. The point is not to slow delivery but to put the verification where the risk moved.
5. Isolate secrets and blast radius
Scope tokens tightly, rotate them, and separate the environment an agent runs in from the systems that hold your keys. When an agent is compromised, as the Friendly Fire proof-of-concept showed is possible, the difference between an annoyance and a breach is what that agent could reach.
6. Set policy and train the team
Write a safe-use policy for AI coding tools, decide which autonomous modes are allowed on which code, and give developers a short, concrete playbook for what to watch for, starting with an agent running a binary or script that only documentation told it to run. Tooling without policy drifts; policy without training does not stick.
| AppSec control | Primary threat it addresses |
|---|---|
| AI toolchain threat model | Unmapped injection vectors (README, issue trackers) |
| Agent permission and autonomy limits | Friendly Fire, GhostApproval, TrustFall |
| Dependency supply-chain controls | Slopsquatting, package hallucination |
| Secure review of AI output | OWASP Top 10 flaws in generated code |
| Secrets and blast-radius isolation | Credential theft after agent compromise |
| Policy and developer enablement | Unsafe autonomous-mode use |
How to bring this in: build, buy, or partner
Some organisations have the security engineering depth to build this layer in-house. Many do not, or need it faster than an internal hire cycle allows. A sensible engagement runs in three stages: a short assessment that threat-models your AI toolchain and finds the gaps against the six controls above; a remediation phase that wires the controls into your pipeline, agent configuration and secrets management; and an ongoing review cadence that keeps pace as new attacks like the 2026 cluster keep landing. What matters is that the work is done by people who read the security research and write production code, not by a checklist.
This is where eCorpIT fits. We are a senior-led, multi-disciplinary engineering organisation founded in 2021 and based in Gurugram, assessed at CMMI Level 5 and MSME-certified, with partnerships across AWS, Microsoft, Google and Kaspersky. We build and secure software delivery pipelines for teams that have adopted AI coding assistants, and we design those controls aligned with the Digital Personal Data Protection Act, 2023 requirements so that Indian teams close the security gap and the privacy gap together. Our related AI agent security guardrails service covers the runtime side for teams deploying agents in production.
India-specific considerations
For Indian product teams and the global capability centres in Gurugram, Bengaluru and Hyderabad, the DPDP Act raises the stakes on an AI-assisted breach. A compromised agent that exfiltrates a database credential is not only a security incident; if it exposes personal data it can become a reportable breach with regulatory consequences. Because these teams have adopted AI coding tools aggressively to compress delivery timelines, the security gap and the compliance exposure arrive together, which is an argument for building the AppSec layer into the same engineering process rather than treating it as a separate audit.
FAQ
How eCorpIT can help
eCorpIT builds and secures the software delivery pipelines of teams shipping with AI coding assistants. We assess where your AI toolchain is exposed, wire in the controls that block the 2026 attack classes, from agent permission limits and supply-chain gates to secure review of generated code, and design the whole layer aligned with the DPDP Act so your security and privacy gaps close together. As a senior-led organisation founded in 2021 in Gurugram, assessed at CMMI Level 5 and MSME-certified, we work as the engineering partner for that layer. If your team adopted AI-assisted development faster than its security controls, contact us.
References
- Salt Security via PR Newswire. "New Research Reveals 9 in 10 Security Leaders Concerned About AI-Generated Code Risks." May 2026.
- Veracode. "AI Coding Tools Are Creating a Security Gap We Must Close Immediately." 2026.
- Swati Khandelwal. "Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It." The Hacker News, 9 July 2026.
- Wiz. "GhostApproval: A Trust Boundary Gap in AI Coding Assistants." July 2026.
- Infosecurity Magazine. "GhostApproval Flaw Hits Six Major AI Coding Assistants." July 2026.
- The Register. "Bug in top AI coding agents shows that Unix-era security headaches never really die." 8 July 2026.
- SecurityWeek. "Critical Cursor AI IDE Flaws Could Lead to OS-Level Remote Code Execution." 2026.
- Cloud Security Alliance. "Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks." 19 April 2026.
- ProjectDiscovery via PR Newswire. "2026 AI Coding Impact Report: AI-Generated Code Is Outpacing Security Teams." 2026.
- Dark Reading. "AI Coding: Do Security Risks Outweigh Productivity Gains?" 2026.
- Cloud Security Alliance. "Vibe Coding's Security Debt: The AI-Generated CVE Surge." 2026.
- AI Now Institute. "Friendly Fire Exploit Brief." 2026.
_Last updated: 18 July 2026._