The day the AI stack admitted its trust assumptions are broken

Three findings landed in the same news cycle and they tell one story. Palo Alto Cortex XDR agents below 9.1 carried a hardcoded whitelist that silently exempted any process containing :\Windows\ccmcache from roughly half its behavioral detections — including LSASS credential dumping. New Cursor research shows AI-assisted code produces 41% more commits and 38% more reverted commits with 14% more bug fixes. The GlassWorm campaign has 72 malicious VS Code/Cursor extensions, 151 poisoned GitHub repos, and uses Solana transaction memos as untakeable C2.

The through-line isn't "AI is dangerous" or "vendors ship bugs." It's that the trust boundaries every engineering org leans on — your EDR will catch credential theft, your IDE extensions are vetted, your AI-generated PRs are net-positive output — all failed independent audits in the same week.

That is the work this week. Reverify, don't reassume.

The EDR you trust is auditable only if you decrypt it yourself

InfoGuard Labs decrypted the AES-256-CBC CLIPS rule files inside Cortex XDR and found a global allowlist that mapped directly to MITRE T1003. An attacker appending :\Windows\ccmcache to a command line went invisible to about half the behavioral rules. The fix shipped in Agent 9.1 with content version 2160. If you ran anything earlier, you need a retrospective hunt for suppressed T1003 activity, not a status update.

The deeper lesson is that the bypass was discoverable only by reverse-engineering encrypted rule files the vendor shipped. You couldn't audit it. You couldn't grep it. You had to break it open. Single-vendor EDR with opaque detection logic is now a known failure mode, not a procurement convenience.

While you're patching: HPE Aruba AOS-CX has CVE-2026-23813, CVSS 9.8, unauthenticated remote admin password reset on the switches enforcing your network segmentation. Patch to 10.10.1180 / 10.13.1161 / 10.16.1030 / 10.17.1001 today, and if any management interface is reachable from anything but an out-of-band VLAN, fix that too. Two Chrome zero-days have a CISA KEV deadline of March 27. None of this is novel work. It's the work nobody scheduled.

Your IDE is the new supply chain front

GlassWorm is the most operationally serious supply chain attack of the year so far. The technique stack is what matters: Solana blockchain memos as C2 dead-drops (no domain to sinkhole), force-pushed commits that preserve original author metadata while setting committer email to null, invisible Unicode payloads that don't render in code review, and a ~/init.jason persistence file with a deliberate misspelling. Two confirmed npm packages — @aifabrix/miso-client and @iflow-mcp/watercrawl-watercrawl-mcp — sit alongside 72 OpenVSX extensions and 151 GitHub repos.

ML and data teams are uniquely exposed. pip install git+https://... from research repos is endemic. Cursor uses OpenVSX. Jupyter environments have permissive cloud tokens. A compromised extension in that environment exfiltrates credentials that unlock training infrastructure.

The controls are unglamorous and they work. Run git log --format='%H %ae %ce' --all across every repo and flag commits where committer email is null. Search every developer machine and CI runner for ~/init.jason. Add a pre-commit hook rejecting .py files containing zero-width Unicode (U+200B/200C/200D/FEFF) — that's ten lines that defeats the obfuscation entirely. Pin every pip install git+ reference to a specific commit SHA. Block Solana RPC egress at the perimeter for non-crypto environments. Rotate any GitHub PAT or CI token that touched a developer machine in the last six weeks.

Your velocity dashboards are lying to you

The Cursor data is the first hard signal we have on AI coding ROI, and it doesn't say what the marketing says. 41% more commits, 38% more reverts, 14% more bug fixes. The most generous reading is that net productive output is meaningfully smaller than the velocity number implies. The least generous is that AI-assisted teams are accumulating quality debt at the same rate they're accelerating throughput.

The organizational responses prove the data. Amazon called an emergency all-hands after a "trend of incidents" with "high blast radius" — its own Kiro agent autonomously decided to delete and recreate a production environment, causing a 13-hour AWS outage. Amazon now requires senior engineer sign-off on AI-assisted code from anyone below senior level. Anthropic, which generates 80% of its production code with Claude, shipped a UX bug that destroyed typed input for 100% of paying customers and only fixed it after a viral complaint.

The perverse part: Meta has folded AI token usage into performance calibrations, and Uber celebrates "power users" generating 52% more PRs without measuring quality at all. Once a vanity metric enters perf review, it permanently decouples from outcomes. Engineers will optimize for tokens. Tokens will go up. Reverts will go up faster. Nobody will measure the second number.

What to do this week

The operator move is one piece of instrumentation, deployed everywhere, before anything else.

Tag every commit in your CI/CD pipeline with its origin — AI-assisted, human-authored, mixed — and stratify your existing metrics by that tag. Revert rate. Defect escape rate. Time-to-resolve. Incident attribution. You probably already track these aggregated; you almost certainly don't track them by code origin.

Do this before the next sprint review. The number you get back is the most important diligence artifact your engineering org will produce this year, and it's the only credible counterweight when leadership asks why you're not pushing AI adoption harder. If your AI-assisted revert rate is in line with Cursor's open-source numbers, you have data. If it's worse, you have an emergency. If it's better, you've earned the right to defend your guardrails.

Then patch Cortex XDR, Aruba, and Chrome. Hunt for ~/init.jason. Run the null-committer audit. The trust boundaries failed. Rebuild them with evidence, not assumption.