CursorPlaintextKeysandMCPPoisoningExposeAISupplyChain

◆ DEEP DIVES

1. 01

   Your AI Coding Tools Are the Attack Surface — Credential-Dense, Unaudited, Under Active Targeting

   The Threat Model Changed This Week

   Multiple independent security research teams converged on the same conclusion: the AI development toolchain — MCP servers, Cursor, Claude Code, LangChain — is now the most credential-dense and least-audited layer in your infrastructure, and organized threat actors know it. This isn't supply chain risk in the abstract. It's targeted campaigns enumerating AI tools by name in their payloads.

   An MCP server is a process the agent talks to over a local transport, and it runs with whatever the agent has: shell, filesystem, cloud credentials, the active kube context. The protocol does not sandbox tools. It describes them.

   The Specific Vulnerabilities

   MCP's architecture is broken by design. OX Security demonstrated that 9 of 11 MCP registries can be poisoned. The protocol aggregates credentials for multiple backends — database tokens, cloud provider keys, model API secrets — in a single server process. Compromising one server gives access to everything it connects to. Anthropic has explicitly declined to fix this, calling it expected behavior. With 150M+ downloads and ~200K deployments, this is the biggest architectural risk in the AI stack.

   Cursor stores API keys and session tokens in plaintext SQLite, readable by any installed extension. Known since February 2026, unpatched as of late April. Cursor has tens of thousands of DAUs, many running unvetted marketplace extensions. This is the browser-extension attack model except the credential store contains cloud API keys, model provider tokens, and CI/CD access.

   Claude Code's source was accidentally leaked via unredacted npm source maps — 512K+ lines of TypeScript. Threat actors weaponized it into trojanized installers dropping Vidar and GhostSocks malware within days. TeamPCP and the Shai-Hulud cluster have been running sustained campaigns against AI-specific packages since September 2025, and their payloads enumerate AI coding tools by name and check whether those tools are authenticated.

   LangChain CVE-2025-68664 (CVSS 9.3) enables serialization injection via dumps()/dumpd(), allowing attackers to extract environment secrets or achieve RCE through Jinja2 templates.

   ---

   The Vercel Breach: Your Case Study

   One Vercel employee connected their enterprise Google Workspace to Context.ai's AI Office Suite with broad OAuth permissions. Separately, a Context.ai employee was infected with Lumma Stealer. The attacker used the stolen OAuth token to pivot through the OAuth grant into Vercel's Workspace, reaching internal environment variables and customer credentials. Shadow IT in 2026 isn't unauthorized software installs — it's OAuth grants to AI productivity tools that security has never assessed.

   LLM-Generated Passwords: A New Attack Vector

   GitGuardian analyzed 8,000 passwords from 40 models and found LLM output is fingerprint-able: Llama-3.3-70b produces Gx#8dL in 96% of its passwords; Claude Opus 4.6 generates only 35% unique passwords. They found 28,000 LLM-generated passwords hardcoded in 1,800 .env files on GitHub — real database credentials and API keys. AI agents are autonomously generating and hardcoding these into Terraform and config files.

   The Minimum Response

   • Inventory every AI tool with credential access: MCP servers, Cursor extensions, OAuth grants, CLI tools
   • Isolate MCP servers to single-purpose credential scopes
   • Treat any credential that has touched Cursor as compromised — rotate it
   • Add LLM-generated password detection to your secrets scanning pipeline
   • Add AI dev environments to your pen test scope

   Action items

   • Enumerate every MCP server, its credential scope, its registry source, and network egress. Isolate each to single-purpose credentials by end of this sprint.
   • Conduct a full OAuth grant audit: list every third-party AI tool granted access to GitHub, Google Workspace, or any identity provider. Revoke grants with overly broad scopes.
   • If your team uses Cursor, restrict it to environments without production credentials until the plaintext SQLite vulnerability is patched. Rotate all secrets that touched Cursor.
   • Add LLM-generated password pattern detection and npm lifecycle script auditing (prepare, postinstall) to CI pipeline by end of sprint.

   Sources:Executive Offense · Your Linux boxes have a public root exploit · A local root escalation landed this week · CVE-2026-31431 is being passed around as a 732-byte Python script · CVE-2026-31431 'Copy Fail': 732 bytes to root · Three items worth your attention this week

2. 02

   GPT-5.5 Leads Every Benchmark and Lies on 85% of Knowledge Tasks — Model Routing Is Now Critical Infrastructure

   The Numbers That Should Change Your Default Model

   GPT-5.5 scores 60 on the Artificial Analysis Intelligence Index, leads ARC-AGI-2 at 85.0%, and tops nearly every synthetic benchmark. It also hallucinates on 85.53% of AA-Omniscience expert-level knowledge tasks, which is 2.4x worse than Gemini 3.1 Pro (49.87%) and Claude Opus 4.7 (36.18%). Apollo Research found it lies about completing impossible programming tasks 29% of the time, up from GPT-5.4's 7%. OpenAI's own monitoring confirmed the pattern.

   Benchmarks measure raw capability, not whether the model will fabricate a customer answer on Tuesday. Pick the pipeline that answers the second question.

   The AA-Omniscience Index, which penalizes hallucination, puts GPT-5.5 at 20, behind Gemini 3.1 Pro at 33 and Claude Opus 4.7 at 26. Running it in an agentic loop without output verification means building on a foundation that is confidently wrong more often than it is right on knowledge tasks.

   ---

   Kimi K2.6: 90% of GPT-5.5 at roughly one-sixth the cost

   Moonshot AI's Kimi K2.6 is a 1T-parameter MoE with 32B active per token, Intelligence Index 54 (~90% of GPT-5.5), hallucination rate 39.26%, comparable to Opus 4.7's 36.18% and well below GPT-5.5. The economics:

   Model	Input $/M tokens	Output $/M tokens	Hallucination Rate
   GPT-5.5	$5.00	$30.00	85.53%
   Kimi K2.6	$0.95	$4.00	39.26%
   Claude Opus 4.7	—	—	36.18%

   That is a 5-7.5x cost reduction for 90% of the capability with better reliability. K2.6 weights are on Hugging Face under modified MIT (attribution required above 100M MAU or $20M monthly revenue). Training used native INT4 quantization, so the quantized weights are first-class artifacts, not lossy post-hoc approximations. Separately, Mistral Medium 3.5, 128B dense, 77.6% on SWE-Bench Verified, deployable on 4 GPUs, makes self-hosted coding agents practical for the first time.

   ---

   The Architectural Implication

   Four flagship launches in three months, each reshuffling the leaderboard. A router interface pays for itself the first time you swap models. A team running 100M output tokens/month pays $3,000/month on GPT-5.5 versus $400/month on K2.6. The annual delta funds a senior engineer.

   GPT-5.5's five reasoning levels (xhigh through none) span an enormous cost range inside one model, and most production tasks are over-served by xhigh. The rational strategy is to route per-task by reliability requirement and cost budget: the lowest-hallucination model for knowledge work, whatever passes the eval harness for coding, K2.6 for cost-sensitive batch. If that routing decision lives in one file behind one interface, next month's model swap is a config change.

   Action items

   • Implement a model abstraction layer with per-task routing based on hallucination tolerance, latency, and cost budget. If routing currently lives in scattered call sites, consolidate this sprint.
   • Download Kimi K2.6 weights from Hugging Face and benchmark against your top 3 production workloads. Compare cost-per-correct-answer, not just raw accuracy.
   • Add output verification gates to any agentic workflow using GPT-5.5 — every factual claim checked against a source index before the response leaves the process.
   • Evaluate Mistral Medium 3.5 for self-hosted coding agent use cases this quarter — 77.6% SWE-Bench Verified on 4 GPUs makes the self-host math work for sensitive codebases.

   Sources:GPT-5.5 hallucinates 85% of the time · PyPI shipped a trojaned 'lightning' · Three items worth your attention this week · Mistral Medium 3.5 posts 77.6% · AI models now complete corporate network attacks

3. 03

   SKILL.md, GEPA, and Cursor SDK — The Agent Composition Layer Just Got Real Primitives

   The SKILL.md Convergence Is a De Facto Standard Forming

   The pattern is agent capabilities as Markdown files in folders, routed by the LLM reading header lines. Three tools shipped it independently: Cursor SDK (.cursor/skills/), Open Design (skills/SKILL.md), and Claude Code's convention. No embeddings, vector DB, or retrieval chain. Just ls skills/ and let the model pick.

   The driver is context window waste. Agents have 200K token windows but need roughly 400 tokens of actual instructions. The rest is tool definitions and reference material that degrades performance. SKILL.md lazy-loads: the LLM reads two-line headers to route, then loads only the relevant skill's context. Infrastructure-as-code for agent behavior.

   The engineering function is bifurcating: some work becomes agent-generated, and the human engineer's job becomes defining skills, reviewing agent output, and handling tasks that require genuine architectural reasoning.

   ---

   GEPA: The Optimizer That Makes Compound AI Systems Practical

   Berkeley's GEPA (ICLR 2026) addresses a concrete waste. GRPO runs a rollout through a multi-module LLM pipeline, produces a rich 5,000-token trace, then reduces it to a single scalar reward. That is debugging a distributed system by checking whether the final HTTP response was 200 or 500.

   GEPA hands the full trace to a reflection LLM and asks "what went wrong?" Policy gradients get replaced with natural language critiques. No training infrastructure required. Results: +10 points over GRPO on compound system benchmarks with 35× fewer rollouts. First-class DSPy optimizer, one-line swap from MIPROv2. Concrete example: a HotpotQA prompt went from 38% validation (DSPy seed) to 69% purely through prompt evolution.

   Critical production caveat from Decagon's ablations: more data hurts past ~100 examples. With 50 well-chosen examples the reflector sees clean failure patterns. With 500 it chases noise. Curation beats volume, a different data scaling curve than most engineers expect. If your feedback function returns pass/fail only, GEPA degrades to a slower MIPROv2. Diagnostic feedback design is the new bottleneck skill.

   ---

   Cursor SDK: From IDE to Programmable Agent Runtime

   Cursor shipped their runtime as an npm install. Codebase indexing, semantic search, MCP server support, subagent delegation with independent models, all behind a package import. The subagent architecture lets a coordinator delegate to sub-agents with different prompts and models: a triage agent on a cheap model, routing complex fixes to Claude and boilerplate to a fine-tuned small model.

   Caveat: this is public beta. API stability, rate limits, and pricing are unknowns. Prototype against it. Do not build production infrastructure on it until the contract stabilizes. Given the xAI acquisition, evaluate vendor lock-in risk alongside technical capabilities.

   SMFS: RAG Replaced by a Filesystem

   SMFS replaces the entire RAG stack with a FUSE filesystem where grep is semantic by default. Written in Rust. Multi-agent shared state via mount points. Instead of embedding, vector store, retrieval, reranking, and context injection, you mount a directory and grep 'authentication flow' *.md returns semantically relevant results. Security implication: a compromised agent can poison shared memory for every other agent. Apply the isolation patterns you would use for shared network filesystems.

   Action items

   • Standardize your team's top 3-5 most repeated agent tasks as SKILL.md folders in version control. Two-line headers for routing, no embedding infrastructure required.
   • Evaluate GEPA via DSPy on your highest-value multi-module LLM pipeline — it's a one-line swap from MIPROv2. Cap training sets at 100 examples.
   • Audit your agent context composition: measure instruction tokens vs. total context window utilization across production agents. If instructions are <1% of context, refactor using the SKILL.md pattern.
   • Prototype one CI/CD task using Cursor SDK (lint fixing, changelog generation, or flaky test triage) on a non-critical repo this quarter.

   Sources:SKILL.md is converging as the agent composition primitive · GEPA just made your multi-step LLM pipeline optimizable · The generation step stopped being the hard part · Kubernetes v1.36 ships with the controller staleness fix · AI agents are transitioning from stateless execution