How AI Coding Tools Crushed the Endpoint Security Fortress

APPLICATION SECURITY CYBER RISK ENDPOINT SECURITY THREAT INTELLIGENCE NEWS How AI Coding Tools Crushed the Endpoint Security Fortress Security vendors have spent years building up defenses around the endpoint, but one researcher says AI coding tools have brought the walls down. Rob Wright,Senior News Director,Dark Reading March 24, 2026 5 Min Read SOURCE: PICTORIAL PRESS LTD VIA ALAMY STOCK PHOTO RSAC 2026 CONFERENCE – San Francisco – Artificial intelligence has been hailed by many as a game changer for cybersecurity, but one researcher believes these new tools are systemically undermining modern defenses. During a Tuesday session at the RSAC 2026 Conference in San Francisco, Oded Vanunu, chief technologist at Check Point Software, detailed what he describes as a "new era" of client-side attacks enabled by AI coding assistants. The session, titled "When AI Agents Become Backdoors: The New Era of Client-Side Threat," revealed a series of vulnerabilities in popular tools such as Anthropic's Claude Code, OpenAI's Codex, and Google's Gemini. Vanunu tells Dark Reading that he and his research team spent the past year investigating AI development tools and quickly discovered they were jeopardizing much of the progress made by the cybersecurity industry. Over the past decade, the industry invented "amazing platforms and technologies" to better protect endpoints and move application execution to the cloud, he says.  Related:Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit "And then in just a few months, we saw that the AI tools were basically crushing everything that we had been fighting for," Vanunu says. How AI Coding Assistants Break the 'Endpoint Fortress' Vanunu says client-side risk has been reduced thanks to 20 years of cybersecurity advancements, from OS hardening and sandboxes to endpoint detection and response (EDR) and browser isolations. Additionally, the shift to software-as-a-service (SaaS) and cloud platforms effectively turned endpoints into thin clients and dramatically reduced the attack surface. But those advancements, which created an "endpoint fortress," have been undone by AI coding assistants, which Vanunu says have "basically rewrote the rules entirely" because they require access to local filesystems and configurations on a developer's endpoint.  Developers often assign the coding assistants the highest privileges and grant them broad access throughout the network, which allows the agents to burrow a tunnel through the fortress walls. And because the agents are automated and highly privileged, security technologies struggle to monitor what they're doing and determine if the tasks are malicious. "At this moment, all security products are blind. Totally blind," Vanunu tells Dark Reading. "They can't really understand or control exactly what the agentic AI is doing."   Oded Vanunu's session explained how AI coding tools have created a wormhole through modern endpoint defenses. SOURCE: Check Point Software To make matters worse, Vanunu says AI tools have an enormous blind spot of their own because they treat configuration files as active execution instructions. And while developers are cautious with .exe files, he says, they're much less careful with .json, .env or .toml files.  Related:GitHub 'OpenClaw Deployer' Repo Delivers Trojan Instead Since there's very little human oversight for these configuration files, threat actors can easily place a seemingly innocuous line of text in the configuration metadata that causes agents to, for example, run a malicious command. The metadata in these configuration files is "becoming the biggest enemy of these organizations," Vanunu says, because they're often overlooked. "What we're seeing is that the attackers basically don't need to create malware anymore," he says. "They can just use config files." Vulnerabilities in AI Coding Assistants Vanunu's research team discovered six vulnerabilities in several popular AI coding tools, which have been previously disclosed and patched by the vendors. The first, CVE-2025-59536, is a high-severity flaw in Claude Code that allows an attacker to trick the tool into executing malicious code contained in a project before the user accepted the startup trust dialog.  Vanunu explains that attackers can exploit the flaw to weaponize Claude Code Hooks, which are user-defined shell commands designed to run automatically, and bypass endpoint detection and response (EDR) products.  Related:Trivy Supply Chain Attack Targets CI/CD Secrets A threat actor could also fashion a model context protocol (MCP) consent bypass. While Claude requires user consent for MCP server plug-ins to execute, Claude Code reads configurations automatically, which allows malicious MCP servers to execute commands in those files before the trust dialog appears. In OpenAI Codex CLI, the team found a code injection flaw, CVE-2025-61260 (CVSS score pending), that could be used in similar attacks. An attacker could use a project .env file to redirect the CLI to a malicious local .toml configuration file. That file then connects attacker-controlled MCP servers, which causes the coding tool to run commands immediately without human authorization. The research team also discovered CVE-2025-54136, a high-severity remote code execution (RCE) vulnerability in Cursor, an AI coding platform. When a developer approves an MCP server command, Cursor binds the authorization to the plug-in's name rather than the content hash of what was approved. This allows a threat actor to execute a "swap attack" in which they submit a benign command and, after it's been approved, update the plug-in with a malicious payload.  And lastly, Vanunu's session detailed a flaw in Google's Gemini CLI, which has not been assigned a CVE, that allows threat actors to disguise malicious commands as legitimate scripts within documentation files. An attacker can embed malicious commands in a GEMINI.md file, which the tool will silently execute without user approval or oversight. Mitigating AI Agent Cyber-Risks While all four companies addressed the flaw, Vanunu says they reveal dangerous attack paths that threat actors can easily exploit. They also show that "developers are the new perimeter." To mitigate such threats, he urges organizations to start by conducting a full audit of their organization to identify all AI technology in use, especially "shadow AI" tools, and to analyze all configuration and project metadata for suspicious content. Secondly, he recommends that organizations implement isolation for their coding tools and require all AI-automated shell tasks to first run in sandboxes. And lastly, he urges security teams to adopt a "Configuration = Code" policy that treats developer workstations as a zero-trust environment where text cannot be executed without verification.  "The bottom line is that this is the new perimeter," Vanunu says. "And we need to redesign security." RSAC Conference MAR 23, 2026 TO MAR 26, 2026 Join thousands of your peers at RSAC™ 2026 Conference in San Francisco from March 23–26. Discover new strategies, explore bold technologies, and connect with peers who share your challenges and ambitions. Don’t just attend the Conference—be part of the community that defines what’s next. SECURE YOUR SPOT About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY OWASP Highlights Supply Chain Risks in New Top 10 List by Jai Vijayan, Contributing Writer NOV 10, 2025 APPLICATION SECURITY It Takes Only 250 Documents to Poison Any AI Model by Jai Vijayan, Contributing Writer OCT 22, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE