AI coding tools face a convergence of security threats in July 2026, from exploitable IDE vulnerabilities to AI-generated phantom packages — even as enterprise adoption climbs above 90% and investor funding pours into the sector. The risks are concrete and documented, and they are arriving faster than most organizations have built defenses.
Cursor AI Hit by Two Separate Exploit Disclosures
Cursor AI, the fastest-growing AI code editor with more than 50,000 enterprise customers including 64% of the Fortune 500, was hit by two separate vulnerability disclosures within 24 hours in mid-July 2026. The back-to-back findings expose how quickly security researchers are scrutinizing AI development environments that handle sensitive source code and credentials.
On July 14, Mindgard disclosed that Cursor can be exploited by concealing malware inside a fake Git file. One day later, researchers at Adversa AI shared a separate report exclusively with Dark Reading describing a two-click attack chain that combines two classic vulnerability classes to install a malicious Model Context Protocol (MCP) server on a victim developer’s machine.
MCP servers are executable components designed to connect AI models to external tools — API calls, filesystem operations, and similar integrations. According to Dark Reading, they frequently run with minimal restrictions, and in Cursor’s case, a successfully installed malicious MCP server executes commands with the same privileges as the developer running the editor. That means an attacker who completes the two-click chain gains access to secrets, credentials, and source code stored in a privileged development environment.
Cursor’s profile makes the exposure significant. The company’s valuation climbed sharply earlier this year following strong revenue growth and an acquisition by SpaceX, according to Dark Reading’s reporting.
Slopsquatting: When AI Hallucinations Become Supply Chain Attacks
Beyond IDE-level exploits, a distinct class of threat called “slopsquatting” is turning AI coding assistants into an unintentional supply chain attack surface. The term combines “AI slop” and “typosquatting,” and it describes what happens when an LLM hallucinates a software package name that does not exist — and an attacker registers that name first.
VentureBeat reported that the attack vector works as follows: during AI-assisted coding, a model generates a reference to a fictitious open-source package. If a threat actor has already registered that package name on a public registry and populated it with malicious code, the developer installs malware the moment they follow the AI’s suggestion. Unlike typosquatting — which registries have spent decades building protections against — slopsquatting exploits hallucination behavior that registries have no established mechanism to detect or block.
The threat is structurally difficult to mitigate because it originates inside the trusted workflow. Developers relying on AI suggestions have no obvious reason to verify that a recommended package exists before installing it.
Enterprise Adoption Outpaces Security Readiness
Despite the documented risks, enterprise adoption of AI coding tools has reached near-saturation levels. According to GitLab’s 2026 AI Accountability Report, 91% of organizations are using two or more coding tools, and 54% use three or more. A separate Black Duck survey placed enterprise adoption even higher, at 97%.
The cost structure of these tools adds another layer of complexity. Dark Reading noted that AI coding subscriptions run $19 to $200 per user per month, but that figure excludes the downstream costs of security scanning, vulnerability remediation, and false positives generated by AI-written code.
SonarSource’s State of Code Developer Survey 2026, which collected 1,149 developer responses, found that while productivity gains are real, they do not automatically translate into positive ROI once security overhead is factored in. The survey results suggest organizations should model total cost — including remediation labor — rather than licensing fees alone before committing to broad rollouts.
The category also now encompasses “vibe coding,” where users generate entire applications from natural language prompts without understanding the underlying code. Dark Reading flagged this practice as a particular risk multiplier: developers who cannot read the output cannot audit it for vulnerabilities.
Emergent Reaches $1.5B Valuation on $120M ARR
Investor appetite for AI coding tools remains strong despite the security concerns. Indian startup Emergent raised $130 million in a Series C round at a $1.5 billion post-money valuation — a five-fold valuation increase in six months — according to TechCrunch. The round was led by Creaegis, with participation from MNI Ventures-Claypond, Sentinel Global, Khosla Ventures, SoftBank Vision Fund 2, Lightspeed, and Y Combinator.
Emergent co-founder and CEO Mukund Jha told TechCrunch that the company has reached $120 million in annual run-rate revenue, up 70% over the past four months, with more than 200,000 paying customers. The startup targets small businesses and entrepreneurs rather than professional developers — customers include trucking companies, construction firms, and property managers building internal tools.
“Our thesis has always been to build a production-grade application for serious builders,” Jha said. “So you’re basically getting an engineering team in a box.”
Emergent’s total funding now stands at $230 million, following a $70 million Series B at a $300 million valuation in January 2026. North American customers account for roughly one-third of revenue, Europe another third, with India contributing 8–9%.
What This Means
The AI coding tool market is maturing in two directions simultaneously: commercially, it is consolidating around a handful of well-funded platforms with deep enterprise penetration; technically, it is generating a new class of security vulnerabilities that did not exist three years ago.
The Cursor disclosures are notable not because Cursor is uniquely insecure, but because it is the most widely deployed target. As AI editors become standard developer infrastructure — handling credentials, source code, and privileged system access — they become high-value attack surfaces. The MCP server attack vector is particularly concerning because it exploits a feature, not a bug: MCP’s broad permissions are by design.
Slopsquatting represents a harder problem. It cannot be patched at the IDE level because the vulnerability lives in the hallucination behavior of the underlying model. Mitigating it requires either registry-level intervention, developer education, or AI tools that validate package existence before recommending installation — none of which are standard practice today.
Organizations running three or more coding tools simultaneously, as 54% of enterprises now do according to GitLab, face compounded exposure across each platform’s distinct attack surface. The ROI question Dark Reading raises is real: productivity gains documented in surveys do not yet account for the labor cost of auditing AI-generated code at scale.
FAQ
What is the Cursor AI two-click exploit?
Researchers at Adversa AI disclosed a two-step attack chain in July 2026 that allows an attacker to install a malicious Model Context Protocol (MCP) server on a developer’s machine using Cursor AI. The MCP server then executes commands with the same privileges as the developer, granting access to source code, credentials, and other sensitive data.
What is slopsquatting and how does it work?
Slopsquatting is a supply chain attack that exploits AI coding assistants’ tendency to hallucinate nonexistent software package names. Attackers register those fake package names on public registries and populate them with malicious code, so developers who follow the AI’s recommendation unknowingly install malware directly into their codebase.
How widely are AI coding tools used in enterprises today?
According to GitLab’s 2026 AI Accountability Report, 91% of organizations use two or more AI coding tools, and 54% use three or more. A Black Duck survey placed adoption even higher at 97% among enterprise development teams.
Related news
Sources
- 2-Click Cursor Exploit Enables Dev Environment Takeover – Dark Reading
- Forget typosquatting; slopsquatting is the software supply chain threat created by AI coding tools – VentureBeat
- Thinking Machines open sources first multimodal language model, Inkling, focused on low cost and ‘resistance to censorship’ – VentureBeat
- AI Coding: Do Security Risks Outweigh Productivity Gains? – Dark Reading
- Indian AI coding startup Emergent becomes a unicorn with $130M Series C – TechCrunch






