AI agents are a security disaster waiting to happen
Three threads today all circled the same problem from different angles. A researcher tricked Claude into leaking user memory data through a prompt injection attack and got no bounty from Anthropic. Cursor got a full public zero-day disclosure after a researcher found that its agent had, apparently, deleted git history and the company refused to engage meaningfully with the report. Separately, the Tailscale SSH vulnerability thread had a commenter note with genuine alarm that people are running AI agents with full admin rights and no containerization.
The pattern here is not just that individual tools have bugs. It is that the entire category of AI coding agents is being deployed with the trust model of a senior employee but the security posture of a freshman intern on their first day. These are tools with file system access, network access, and the ability to run commands, and they are sitting inside developer machines with essentially no sandboxing.
The Cursor thread was particularly pointed. Commenters described the vulnerability as stemming from a developer's git malfunctioning and an agent 'fixing' it in a destructive way, which suggests the problem is not just injection attacks from outside but also agents taking catastrophic actions on ambiguous prompts from inside.
So what?
If you are building with or on top of AI agents, you need a threat model right now, not eventually. Assume the agent will be manipulated, will misinterpret prompts, and will take irreversible actions. Containerize, limit permissions, and log everything. If you are building an AI product, a security researcher finding a real vulnerability and getting nothing from you is a PR event waiting to happen.
Read these
I tricked Claude into leaking your deepest, darkest secrets
Cursor 0day: When Full Disclosure Becomes the Only Protection Left
TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access