Published
- 4 min read
By Allan D - Editor, AI Security Wire
Straiker Research: 36% of Coding Agent Attacks Lead to RCE
A new threat report from Straiker’s STAR Labs research team, published on 14 July 2026, puts a concrete number on something the AI security community has been discussing qualitatively for months: when attackers successfully compromise an AI coding agent, the consequences escalate fast.
Researchers ran more than 1,700 adversarial scenarios across production coding, productivity, and first-party agents. The headline finding is that 36% of successful attacks on coding agents reached remote code execution on the developer’s machine. That figure deserves context: it is not a rate of all attack attempts, it is the rate at which successful exploits turned into OS-level code execution. But it is 36% of over 1,700 successes, which is a meaningful sample.
Why the Developer Machine Matters
The reason this finding is more serious than RCE-on-a-server is the inventory of what a developer machine holds. Source code repositories, git credentials, SSH keys, AWS and GCP access tokens, internal API keys, package signing certificates. Compromise the machine and you have a lateral movement playbook that bypasses the network perimeter entirely.
Coding agents make this worse by design. They operate with shell access, file system access, and often active cloud provider sessions to build, test, and deploy code. The agent’s legitimate access profile is the attacker’s prize. An agent that can run aws s3 sync to deploy a build can equally be made to run aws s3 sync to exfiltrate data.
The Productivity Agent Numbers
The coding agent RCE finding gets the attention, but the productivity agent numbers are arguably more alarming from a data protection standpoint: 91% of successful attacks against productivity agents ended in silent data exfiltration.
The word “silent” is doing real work here. These aren’t incidents where the agent produced an obvious error or the user noticed unexpected behaviour. The exfiltration happened within the normal output of the agent’s task. A productivity agent answering questions about meeting schedules, drafting emails, or summarising documents is a natural vehicle for extracting whatever is in its context window.
Agents connected to email, calendar, CRM, or document management systems have access to significant quantities of sensitive information as part of their normal operation. The 91% figure reflects how few defensive controls exist specifically for this attack surface compared with conventional application security.
What the Research Found About Attack Patterns
The STAR Labs methodology focused on adversarial scenarios as deployed, not synthetic laboratory conditions. Common attack patterns included injected instructions via tool outputs, malicious content in retrieved documents that redirected agent behaviour, and context manipulation that caused agents to treat attacker-supplied data as operator instructions.
Cursor, Claude Code, and GitHub Copilot were all in scope. The research notes these are production tools tested in configurations representative of how enterprise teams actually deploy them, not isolated model evaluations. That distinction matters: many model-level safety evaluations don’t capture how agents behave when connected to real tool ecosystems.
Defensive Direction
Straiker’s recommendations align with the structural controls that have emerged from this year’s agentic AI security research broadly. Three specific areas stand out.
Origin-bound authority on memory. Agents that allow injected content to modify their operating instructions have no boundary between the attacker’s payload and the operator’s intent. Making agent memory resistant to runtime modification is a structural control that limits what a successful injection can actually do.
Limiting the Lethal Trifecta. The phrase comes from the research: data access, untrusted inputs, and execution capabilities in the same agent session is the combination that enables the most dangerous attack chains. Agents that need to process untrusted data should have their execution capabilities restricted for that session. Agents with broad execution capabilities should have their exposure to untrusted inputs minimised.
Agent-specific monitoring. Standard EDR operates on process execution. Agent attacks often don’t look like process execution anomalies at the OS level: the shell command being run is python agent.py, which is entirely expected. What’s anomalous is which system commands the agent issues during that session. Monitoring at the agent action level rather than just the OS process level is necessary to detect these attacks in production.
The Straiker STAR Labs report is publicly available and includes the full methodology and scenario breakdown. The company is also the context for a $64 million Series A closed in June 2026, which is relevant to evaluating the research, but the specific findings on coding agent RCE rates are consistent with what researchers at Adversa AI, Mozilla 0Din, and academic institutions have been documenting through the first half of 2026.
References
- Yahoo Finance / Straiker — New Straiker Research: 36% of Successful AI Coding Agent Attacks End in Remote Code Execution
- Straiker — Straiker Raises $64M Series A to Secure the Agentic Workforce
- SiliconANGLE — Straiker lands $64M to defend enterprise AI agents from attack
- Adversa AI — Top Agentic AI security resources July 2026
Frequently Asked Questions
- Which AI coding agents were included in Straiker's research?
- The STAR Labs report covers production coding agents including Cursor, Claude Code, and GitHub Copilot, as well as productivity and first-party agents. The researchers ran adversarial scenarios specifically against agents as deployed in real enterprise environments, not against isolated model APIs. The 36% RCE rate and 91% silent exfiltration rate apply to successful exploits within scope, not to all attempted attacks.
- What does remote code execution on a developer machine actually mean?
- A developer machine is typically the highest-privilege endpoint in an organisation's environment. It holds local copies of source code, git credentials, SSH keys, cloud provider credentials, package signing keys, and session tokens for internal systems. RCE on that machine gives an attacker everything needed to pivot into cloud infrastructure, tamper with code before it reaches production, or establish persistence in the build pipeline. It is a significantly worse outcome than RCE on a conventional server.
- How can organisations reduce exposure based on this research?
- The report points to three practical controls. Enforce non-malleable, origin-bound authority on agent memory so injected instructions cannot override the agent's operating context. Limit the 'Lethal Trifecta' of data access, untrusted inputs, and execution capabilities occurring in the same agent session. Implement agent-specific monitoring that detects when an agent is making network calls, writing files, or executing system commands outside the expected task scope. General EDR and network monitoring remain necessary but are insufficient on their own against agent-mediated attack chains.