Security researchers have revealed 30+ CVEs affecting Claude Code, Cursor, GitHub Copilot and others via prompt injection and MCP tool poisoning; this article covers attack vectors, the OWASP agentic AI Top 10 and practical defences.

“IDEsaster” is a good term, because most of the risk isn’t in the model but in the ambient authority we casually hand to agents. An AI that can read repos, write code, run tests, hit package managers, and access secrets is effectively a junior engineer with prod keys and zero fear. The interesting vulnerabilities aren’t prompt injections in isolation, but cross-boundary ones: repo → CI → secrets → cloud. Until IDEs treat agents like untrusted plugins with strict sandboxing, least privilege, and auditable actions, we’re just automating foot-guns at scale.