Vibe Coding Security: Poisoned Deps, Hijacked Accounts
A testing library shipped hidden instructions telling AI coding agents to delete output. Cursor accounts got hijacked. Here's what founders need to check.
Nothing new got hacked today. But three things surfaced this week that matter more than the usual noise: a dependency shipped with hidden instructions for AI agents, a Cursor account got taken over and burned through paid usage overnight, and builders are finally arguing about what an autonomous agent should be allowed to write, not just read. None of these are exotic. All of them apply to your stack right now.
TL;DR
- A dev quietly added instructions to the jqwik testing library telling AI coding agents to delete app output — a supply-chain attack aimed directly at agentic tools like Cursor, Claude Code, and Windsurf. (Ars Technica)
- A Cursor user's account was hijacked overnight — new device added, model usage spiking while they slept. Coding-tool accounts are now worth stealing. (r/cursor)
- Builders wiring MCP servers into agents are drawing a hard line: read tools are fine, write tools (email, DNS, production data, billing) are not. (r/cursor)
- One report of a Cursor agent's reasoning bleeding into an unrelated codebase raises questions about session isolation — unconfirmed, but worth watching. (r/cursor)
A dependency told your agent to delete your own output
Here is the incident that matters most this week. A developer, reportedly fed up with low-effort AI-generated code, added an undisclosed instruction inside the jqwik testing library — a payload written to be read and obeyed by AI coding agents, not humans. When an agent encountered it, the instruction told it to delete application output. (Ars Technica)
This is not a bug in Cursor or Claude Code. It's a new attack surface: anything your agent reads — a dependency, a doc file, an issue comment, a code review — can carry instructions the agent will treat as legitimate. If you let an agent pull in third-party packages and act on what it finds inside them without a human in the loop, you've inherited whatever that package's author decided to write. The fix isn't paranoia about every library. It's knowing that "the agent read something and then did something destructive" is now a real failure mode, not a hypothetical one — and building in a pause before agents run destructive commands (delete, drop, force-push) based on something they just read.
Your coding tool account is now worth stealing
A Cursor user reported waking up to find a new device added to their account, with model usage — the expensive kind, Opus-class — running overnight while they slept. (r/cursor)
Treat this as a signal, not a one-off. Your AI coding tool account often has access to your private repos, your API keys in environment files, and sometimes deployment credentials through MCP or CI integrations. It is not a throwaway login. If you haven't turned on two-factor authentication for Cursor, Claude Code, Lovable, or whichever tool you build with, do it today. Check your account's active sessions and connected devices while you're at it.
MCP: read is fine, write is where it bites
A thread in r/cursor laid out the practical line builders are converging on for Model Context Protocol tools: letting an agent search docs, inspect issues, or read a database schema is low-risk — the blast radius is small if it goes wrong. The moment a tool can mutate something — send email, edit production data, change DNS, close GitHub issues, touch billing — the calculus changes. (r/cursor)
If you've connected MCP servers to your agent, audit what each one can actually do. A read-only GitHub integration and a GitHub integration that can merge PRs and close issues are not the same risk. Same goes for anything touching your database, your DNS, or your payment provider. Grant write access only where you'd be comfortable if the agent did it wrong, unsupervised, at 3am.
What we're watching, unconfirmed
One Cursor user reported their agent suddenly reasoning about a PHP codebase that wasn't theirs — files, variable names, none of it matching their 100% Python project. They called it possible "cache leakage" and force-stopped it. (r/cursor) There's no confirmation this is cross-tenant data exposure rather than a model glitch or hallucinated context. But if you see an agent referencing files or logic that aren't in your repo, stop the session and don't assume it's nothing.
FAQ
Is prompt injection something I need to worry about if I just use Lovable or Bolt, not raw dependencies?
The jqwik incident targeted developers pulling in libraries directly, which is more of a Cursor/Claude Code pattern than a no-code builder pattern. But the underlying risk — an agent obeying instructions it finds in content it reads — applies anywhere an agent ingests external text: scraped pages, uploaded files, third-party API responses. Ask what your builder's agent reads before it acts, and whether destructive actions require confirmation.
Should I disconnect my MCP integrations?
No — audit them. Separate the ones that only read (safe to leave connected) from the ones that can write to production, send communications, or touch billing (worth a second look at scope and whether you actually need that write access).
What's the one thing to do today?
Turn on two-factor authentication for your AI coding tool account, and check the active sessions list. That's the cheapest fix on this list and it closes the exact gap the Cursor account-hijack report describes.
The bottom line
None of this week's items is a single catastrophic vulnerability. It's a pattern: agents are being trusted with more read access, more write access, and more autonomy, and the security model hasn't caught up. Lock down your account. Know what your agent's tools can actually do. And if something looks wrong mid-session — a codebase you don't recognize, a command you didn't ask for — stop and look before you let it finish.
Find your gaps before an attacker does.
Is My Site Hackable? scans your deployed app for the exact issues in this article — exposed keys, missing RLS, open buckets — and tells you what's real and what's a false alarm.
Run a free scan →