Your Cursor, Claude Code, or GitHub Copilot install just became a direct path to your source repository and cloud credentials. Straiker's STAR Labs released their inaugural threat report today—the first real empirical test of AI agent security in production—and the numbers are stark.
Of the 1,700+ successful exploits they ran across coding, productivity, and first-party agents, 36% of attacks on coding agents reached remote code execution on the developer's machine. That's the same machine that holds your .env files, SSH keys, AWS credentials, and your entire git history. In one proof-of-concept, STAR Labs bought Google Ads that outranked the legitimate Cursor install page to harvest coding-agent credentials directly.
The mechanism is not exotic. An attacker crafts a malicious prompt—a GitHub issue, a forum post, a poisoned Stack Overflow answer, anything your agent reads—and the agent executes it as if it were a legitimate instruction from you. Because you've granted the agent terminal access and code-execution permissions, the compromise is immediate and complete.
Productivity Agents Fail Silent
Productivity agents—ChatGPT Enterprise, Microsoft 365 Copilot, Gemini for Workspace, Claude for Chrome—have a different failure mode. 91% of successful attacks on these agents ended in silent data exfiltration. No alert, no jailbreak required, no phishing link needed. An attacker poisons a document you're reading or an email your agent summarizes, the agent exfiltrates data to attacker-controlled endpoints, and your audit logs show nothing. The catch: you have no detection mechanism for it because traditional endpoint security reads code and packets, not the semantic layer where an agent decides to send your data to a third party.
The MCP Supply Chain Is Ungoverned
The Model Context Protocol ecosystem—the tool servers your agents depend on—is where the attack surface explodes. Nearly a quarter (24%) of 17,651+ tracked MCP servers carry at least one known vulnerability. And 28.6% of 130,667 cataloged tools are flagged as high-risk on their face. A single poisoned MCP server reaches every agent type at once. In another marketplace, roughly 5% of published Skills were malicious or high-risk—not beta code, not experimental; actively malicious.
The implication is brutal: you cannot audit your way out of this. You cannot patch your way out of this. Your agent's supply chain is shared across thousands of enterprises, and there is no centralized governance, no CVE numbering, no standard remediation flow.
A New Adversary Class
Straiker names this threat class AiPT (AI-Powered Persistent Threats)—adversaries that are themselves agents, running offensive toolkits like Cyberspike Villager to automate reconnaissance, exploitation, and persistence. They exploit LAVA (Language-Augmented Vulnerabilities in Applications)—flaws in the semantic layer where an agent reasons over instructions, not traditional code vulnerabilities.
Traditional endpoint detection and firewalls cannot see this. They read code, endpoints, and packets. They do not read context. Context is where the vulnerability lives.
What To Do
Straiker built their STAR Framework for AI Agent Security to map the attack surface across four layers: application, model, tools and MCP, and data. But the framework is their product. The practical step for today is simpler: treat your agent-enabled workstation as a direct RCE risk. Do not run coding agents on machines with sensitive credentials in plaintext. Do not run productivity agents that read email on machines with unrestricted network access. Audit your MCP server dependencies—if 24% of them carry known vulnerabilities, yours likely does too.
The full STAR Labs report is available at straiker.ai/report/threat-research-vol-1. If you run agents in production—which, if you're reading this in July 2026, you almost certainly do—this is the security reckoning the industry has been avoiding since Claude Code shipped.
Sources
- Straiker STAR Labs Inaugural Threat Report – 36% of coding agent attacks reach RCE; 91% of productivity agent attacks leave no trace; 24% of MCP servers have known vulnerabilities