🧯 The Staff Safety Desk

Wednesday, July 15, 2026

6 stories

Generated with AI from public sources. Verify before relying on for decisions.

🎧 Listen to this briefing or subscribe as a podcast →

Today on The Staff Safety Desk, the data on AI-generated code quality is solidifying into a clear warning. Building on recent reports of skyrocketing vulnerability rates, new metrics show that nearly half of all AI-generated code fails basic security scans. We're also tracking a critical, unpatched zero-day in the Cursor IDE, and a supply chain attack that successfully weaponized a legacy GitHub Actions vulnerability to compromise widely used npm packages.

AI-Assisted Coding Practice

The Alarming Gap Between Functional and Secure AI-Generated Code

Following the GitLab and CodeRabbit data we've been tracking, which showed AI-assisted developers introducing vulnerabilities at a 10x higher rate, a wave of new research from Checkmarx and others adds further stark metrics to the governance gap. The latest reports show AI-generated code now fails basic security scans nearly half the time. This solidifies the 'structural mismatch' where code generation speed vastly outpaces security validation, leading to an increased likelihood of shipping vulnerable software.

This Checkmarx data provides the latest concrete evidence for the 'AI slop' problem, proving that as code generation accelerates, the primary engineering bottleneck shifts entirely to rigorous verification.

Verified across 16 sources: Dual Media · Hackernoon · MSR 2026 · arxiv.org · arxiv.org · arxiv.org · Panto.ai · Larridin · Mike Mason · GitClear · dev.to · Upsun · GitHub · GitHub · Express Computer · The Manila Times

Critical Unpatched 0-Day in Cursor Allows RCE on Windows via Malicious Repo

The attack surface for AI IDEs continues to expand. We've recently seen tools like Cursor targeted by the Miasma worm and the 'GhostApproval' bypass, but now security firm Mindgard has disclosed a seven-month-old, unpatched zero-click RCE specifically in Cursor. The flaw allows arbitrary code execution on Windows when a user simply opens a repository containing a maliciously crafted `git.exe` file. Despite being reported in December 2025 and confirmed by HackerOne, Cursor has reportedly failed to patch the flaw across nearly 200 subsequent versions, forcing a public disclosure.

This represents a severe breakdown in vendor responsibility for a popular AI tool, putting developers at risk of a zero-click RCE and underscoring the danger of trusting developer tools that have deep system access.

Verified across 10 sources: Mindgard · NoCode.Tech · It's FOSS · Sina Finance · Google Drive · GitHub · GitHub · GitHub · Capwolf · The Hacker News

'Anti-Slop' Linters Emerge to Gate Low-Quality AI Code

Following the release of automated referees like Wardrail and the AINAScan tool for 'vibe-coding' bugs, developers are increasingly building specialized 'anti-slop' linters like 'Hallmark' and `sloppylint`. These new tools act as deterministic quality gates, automatically catching recurring AI-generated anti-patterns—such as swallowed exceptions or tests that only check for a 200 status—that human reviewers often miss. This approach formally separates code generation from a more rigorous, often multi-agent, review process.

This trend provides a practical, tool-based mitigation for the 'AI slop' problem, giving your team concrete heuristics and automated checks to prevent technical debt from AI-generated code.

Verified across 5 sources: dev.to · dev.to · dev.to · english.dotdotnews.com · users.scala-lang.org

GitHub Actions & Supply Chain

AsyncAPI npm Packages Compromised in GitHub Actions Supply Chain Attack

Despite GitHub's recent move to block 'pwn request' attacks by default in `actions/checkout` v7 following the TanStack incident, misconfigurations remain a critical vector. On Tuesday, attackers compromised several popular npm packages in the @asyncapi namespace by exploiting a legacy 'pwn request' vulnerability via a misconfigured `pull_request_target` trigger. The flaw allowed the theft of a high-privilege Personal Access Token (PAT), which the attacker used to publish malicious package versions containing a multi-stage credential-stealing payload, affecting millions of weekly downloads.

This is a textbook example of the CI/CD supply chain attack vector you've been tracking, demonstrating how a single Actions misconfiguration can still lead to widespread malware distribution despite recent platform-level mitigations.

Verified across 11 sources: Wiz Blog · Datadog Security Labs · Cursor · Teamwin · Rescana · Socket.dev · daily.dev · Aikido Security Blog · SecurityAffairs · Mondaq · TheHackerNews

Django & Python Ecosystem

Malicious Typosquat Package 'django-auth-middleware-plus' Found on PyPI

A malicious Python package named 'django-auth-middleware-plus' has been discovered on PyPI. Designed to typosquat a legitimate package, it exfiltrates sensitive user data, environment variables, dotfiles, and PyPI tokens to a command-and-control server upon import. The package also attempts to modify shell configuration files to establish persistence.

This is a direct threat to your Django development environment, highlighting the critical need for vigilance and verification when installing any third-party package to prevent credential theft.

Verified across 1 sources: hacktron.ai

Web App Security Literacy

Actively Exploited Zero-Day in Active Directory Federation Services Patched

Microsoft released a patch on Tuesday for CVE-2026-56155, an actively exploited elevation-of-privilege vulnerability in Active Directory Federation Services (AD FS). The flaw, rooted in insufficient access control granularity, allows an authenticated local attacker to gain full administrator privileges. This was part of Microsoft's largest-ever Patch Tuesday, which addressed 570 vulnerabilities in total.

This active exploit of a core identity service is a critical reminder of how insufficient access control granularity, a common 'slop' pattern in AI-generated code, can lead to total system compromise.

Verified across 3 sources: Cybersecurity News · CyberPress · METR


The Big Picture

The Functionality-Security Gap in AI Code is Now Quantified New research and post-mortems show a clear pattern: AI coding tools are good at generating functional code but consistently fail to produce secure code. Studies indicate nearly half of AI-generated code fails basic security tests, highlighting that the core problem isn't a lack of knowledge in the models, but a failure to execute securely by default, creating a structural risk for engineering teams that must be mitigated with explicit, human-led verification and tooling.

Supply Chain Attacks Evolve to Target CI/CD & AI Tooling Recent attacks demonstrate a tactical shift towards compromising the tools developers trust. The AsyncAPI breach leveraged a known GitHub Actions misconfiguration ('pwn request') to steal credentials and publish malicious packages, while a separate, critical zero-day in the Cursor IDE shows how the development environment itself can be the attack vector, executing code from a cloned repo without any user interaction.

AI Coding Workflow Moves Toward Agent Orchestration The conversation around AI-assisted development is shifting from single-tool autocompletion to orchestrating multiple, specialized agents. New tools and practices are emerging to manage this complexity, focusing on persistent, shareable context (`cast-skills`), isolated environments (worktrees), and agent-centric IDEs (Cursor 3.0), turning the developer's role from a line-by-line coder to a supervisor of an AI team.

What to Expect

2026-07-20 Potential US Senate floor date for the CLARITY Act, a digital asset market structure bill.
2026-09-24 GrrCON 2026 begins, with presentations on web app security, IoT hacking, and AI exploitation.

— The Staff Safety Desk

🎙 Listen as a podcast

Subscribe in your favorite podcast app to get each new briefing delivered automatically as audio.

Apple Podcasts
Library tab → ••• menu → Follow a Show by URL → paste
Overcast
+ button → Add URL → paste
Pocket Casts
Search bar → paste URL
Castro, AntennaPod, Podcast Addict, Castbox, Podverse, Fountain
Look for Add by URL or paste into search

Spotify isn’t supported yet — it only lists shows from its own directory. Let us know if you need it there.