New Straiker Research: 36% of Successful AI Coding Agent Attacks End in Remote Code Execution

The inaugural STAR Labs report ran real exploits on AI agents and found that 91% of successful attacks on productivity agents left no trace

MOUNTAIN VIEW, Calif., July 14, 2026 /PRNewswire/ — Straiker, The Agentic Security Company, today released the inaugural threat report from its STAR Labs team. To understand the real-world risk AI agents pose to enterprises, researchers ran thousands of adversarial scenarios across production coding, productivity, and first-party agents, resulting in more than 1,700 successful exploits. Volume I is available to read and download here.

Straiker logo

Of the attacks that succeeded, STAR Labs found:

  • Coding agents are the highest-risk deployment. 36% of successful attacks on coding agents in scope, including Cursor, Claude Code, and GitHub Copilot, reached remote code execution on the developer’s machine, the same machine that holds source code and cloud keys. In one proof-of-concept, STAR Labs bought Google Ads to outrank a real install page and harvest coding-agent credentials.

  • Productivity agents fail silently. Productivity agents are the enterprise AI assistants and browser agents embedded in everyday work – such as ChatGPT Enterprise, Microsoft 365 Copilot, Gemini for Workspace, Perplexity Comet and Claude for Chrome – that read email, documents, chats, and the web on a user’s behalf. Across the productivity agents in scope for this research, 91% of successful attacks ended in silent data exfiltration. No jailbreak, phishing link, or malware was required.

  • Custom, first-party agents carry the widest blast radius. The agents an enterprise builds for itself on platforms like Amazon Bedrock AgentCore, Microsoft Foundry and Google Gemini Enterprise, operate inside the corporate trust boundary. Compromise one and the blast radius is enterprise-wide, reaching internal systems and data that coding and productivity agents never touch.

  • The agentic supply chain is shared and ungoverned. Nearly a quarter (24%) of 17,651+ tracked Model Context Protocol (MCP) servers carry at least one vulnerability, and 28.6% of 130,667 cataloged tools are high risk on their face. MCP is not the only channel: a poisoned Skill is prompt injection with a distribution channel. In one marketplace, roughly 5% of published Skills were malicious or high risk. One bad server or Skill reaches every agent type at once.

  • A new adversary has emerged along with the vulnerability it exploits. STAR Labs names AiPT (AI-Powered Persistent Threats): adversaries that are themselves agents, running offensive toolkits such as Cyberspike Villager to automate reconnaissance, exploits, and persistence. What they exploit is LAVA (Language-Augmented Vulnerabilities in Applications), the flaw class in the language agents reason over.

Traditional tooling can’t see this. Endpoint detection, firewalls, and vulnerability scanners read code, endpoints and packets, not the semantic layer where an agent decides to execute a malicious instruction. To close that gap, Straiker built the Straiker STAR Framework for AI Agent Security, which maps the attack surface across the four layers an agent moves in (application, model, tools and MCP, and data) and the three agent types where compromise hits hardest.

Vinay Pidathala, vice president of AI security research, Straiker, said: “Agents are the new attack surface, and attackers are weaponizing context. Context decides whether an agent ships a fix or wipes a drive. Traditional controls were never built to see these attacks, which is why agentic security needs a framework built for both agent architecture and deployment context.”

Read the full research at the STAR Labs report microsite, and see where your own agents stand with a free AI risk assessment.

About Straiker

Straiker is The Agentic Security Company. Its agentic-native platform discovers, tests, and protects the AI agents enterprises run and build, securing the fastest-growing workforce in the enterprise. Straiker is trusted by Fortune 500 enterprises and frontier AI labs and backed by a $64M Series A led by Marathon, with Bain Capital Ventures and Lightspeed. Learn more at straiker.ai.

All product names and logos are trademarks of their respective owners. Use here is for identification and commentary only.

Media Contact: Shannon Van Every [email protected] 

Cision View original content to download multimedia:https://www.prnewswire.com/news-releases/new-straiker-research-36-of-successful-ai-coding-agent-attacks-end-in-remote-code-execution-302824767.html

SOURCE Straiker