Adopt Agentic AI in Software Development FAST! (Spoiler: You Probably Shouldn't.)

Do you ever get the feeling as a cybersecurity professional that right now, everyone is entering hyperdrive on agentic AI, when maybe it’s time to go slow and reflect? Well, what many of us have been seeing in our AI security crystal balls is now suddenly reality. 

On Friday, the 14th of November, Anthropic (one of the world's most well-known vendors for LLMs, thanks to its popular Claude Code tool) released a groundbreaking paper on a cyber incident they observed in September 2025, that targeted everyone from large tech companies, financial institutions, and chemical manufacturing companies, to government agencies.

So, what’s all the fuss about, and what makes this so concerning? In layman's terms, a highly advanced threat actor (allegedly a nation-state) used Claude Code and a range of tools in the developer environment, leveraging Model Context Protocol (MCP) systems, to almost autonomously, at scale, use benign open-source hacking tools to target carefully selected companies. There were over 30 attempted attacks; several were successful, proving that AI agents could indeed execute devastating breaches with very little human intervention.

Last month, GlassWorm, a first self-propagating worm targeting VS Code extensions, was identified by Koi Security. While the latter is not a new attack vector, there is a new wave of coding extensions (including MCP servers) that, at first glance, have benign functionality, but under the hood host a range of malicious activities that could compromise a developer’s endpoint quickly.

Maybe it’s time we slowed down, took a deep breath, and put our heads together to work out how best to defend against this new threat profile.

Securing systems against high-velocity AI agents

The recent paper by Anthropic highlights a potent new threat, one that confirms the long-held fears of many in the security community, by showing how AI can dramatically accelerate and amplify distributed risk. This development gives malicious actors further advantage, which is maddening considering the head start they already have over burnt-out, stretched security personnel managing the tech sprawl in the average enterprise.

In essence, state-sponsored attackers managed to "jailbreak" the Claude Code model. They successfully tricked the AI into circumventing its sophisticated security protocols to execute hostile operations. Once compromised, the rogue AI agent, utilizing its MCP access, rapidly infiltrated various corporate systems and tools. It located and pinpointed highly sensitive databases within the target organizations in a timeframe that would be impossible for even the most advanced human hacking collectives.

This breach unleashed a terrifying cascade of actions: comprehensive vulnerability testing, the automated generation of malicious code, and even the self-documentation of the attack, complete with system scan logs and the Personally Identifiable Information (PII) it successfully nabbed.

For security veterans, this is a genuine nightmare scenario. How can human teams possibly match the sheer speed and destructive capability of an attack vector powered by this kind of AI?

A developer’s endpoint and this new AI ecosystem offer new attack vectors

Every developer prefers their own IDE, whether it's the classic VSCode, JetBrains’ IntelliJ or Eclipse, or the newer Cline, Windsurf or Cursor, and most of these have App marketplaces offering extensions to download and install. These extensions are rarely scrutinized for malicious activity, typically ship over-permissioned and have access to a sandboxed environment where they can access files. 

These environments are now all integrating AI capabilities, AI agents and a range of new tools these agents can use (MCP servers, for example). Often, these are all published through marketplaces where any developer can release their new tools. And yes, you guessed it, these MCP servers can often read, write and execute commands on a system all through an AI environment that is most likely vulnerable to prompt injections. What possibly could go wrong?

The non-negotiable need for AI tool traceability and observability

It’s all at once complex yet simple: If a CISO has no idea which developers are using which AI tools, what code is being committed, or which repositories are augmented by human-AI collaboration, then a huge dataset is missing, and observability needs to improve yesterday. 

The rapid integration of AI coding assistants and MCP servers, now leveraged by a vast majority of developers, has created a critical security blind spot within the SDLC. The data is alarming: up to 50% of functionally correct LLM-generated code has been found to contain security bugs, yet without proper observability, CISOs and AppSec teams lack actionable insight into the sheer volume and sources of this high-risk code being introduced. This critical lack of traceability renders effective AI governance in the form of policy enforcement and risk mitigation functionally impossible.

To safely maximize the immense productivity gains offered by AI, organizations must mandate solutions that provide complete, deep visibility into the AI attack surface. Secure Code Warrior has SCW Trust Agent: AI in closed beta with a select number of our customers. This capability provides deep observability by actively monitoring AI-generated code traffic (including MCP servers) in real-time on the developer’s local machine, and IDE tracking it through pull requests and commits to actual software repositories. Accurate security traceability is achieved only by correlating three vital signals: the specific AI coding tool and LLM model used, the targeted code repository, and, most critically, the contributing developer's measured secure coding proficiency.

Only by establishing this verifiable chain of correlation can an organization accurately benchmark the actual security risk being introduced, automate robust policy enforcement, and ensure that AI-enabled developers meet mandatory secure coding standards before their contributions successfully bypass existing guardrails. 

Get in touch with us if you’d like to know more or see a demo of supercharged AI governance in action, or just send a message to join the beta program.