AI Code Security
Research & Statistics
No fabricated numbers. No unverified claims. Every statistic on this page links to its primary source - peer-reviewed papers, vendor reports with disclosed methodology or named executive statements. Updated February 2026.
Who's Shipping AI-Written Code?
The world's biggest tech companies are going all-in on AI coding. These are public statements from CEOs and executives at earnings calls and conferences.
Spotify: best developers "haven't written a single line of code since December"
Co-CEO Gustav Söderström at Q4 2025 earnings call. Engineers use internal "Honk" system with Claude Code to deploy features from Slack on their phones. Shipped 50+ features throughout 2025.
TechCrunch, Feb 2026 →Anthropic: 70–90% of code company-wide is AI-written
Claude Code writes ~90% of its own code. Top engineer Boris Cherny reports 100% AI-written code. Team built Cowork (a file-management agent) in ~1.5 weeks using only Claude Code.
Fortune, Jan 2026 →Google: over 30% of new code is AI-generated
CEO Sundar Pichai confirmed during Q1 2025 earnings call. Code is generated by AI and then reviewed by engineers before deployment.
PCMag / Alphabet Earnings, Apr 2025 →Microsoft: 20–30% of code across repos is AI-written
CEO Satya Nadella at Meta's LlamaCon, April 2025. Some projects are entirely AI-generated. AI is writing code across the full Microsoft product portfolio.
CNBC, Apr 2025 →Meta: Zuckerberg targets AI handling ~50% of all development
At LlamaCon 2025, Zuckerberg said Meta is building AI models that can in turn build other AI models. Targeting half of all software development handled by AI within a year.
Business Insider, Apr 2025 →Industry-wide: 41% of all global code is now AI-written or AI-assisted
MIT Technology Review named generative coding a 2026 breakthrough technology. 256 billion lines of AI-generated code in 2024 alone. Dario Amodei (Anthropic CEO) predicted AI writing 90% of all code within months.
MIT Technology Review, Jan 2026 →Every percentage point of AI-written code is a percentage point of unaudited attack surface — unless you scan it in real-time.
These Aren't Hypotheticals — They Already Happened
Documented attacks, breaches and exploits targeting AI coding tools and the code they produce. Every incident links to its primary disclosure or reporting source.
Amazon Q Developer: Prompt Injection & RCE in Official VS Code Extension
A malicious actor submitted prompt injections to public AWS repos that were included in the official Amazon Q for VS Code release (v1.84.0). The compromised extension passed Amazon's verification and was publicly available for two days. The payload directed Q to wipe local files and disrupt AWS cloud infrastructure. Researcher Johann Rehberger separately demonstrated RCE via invisible prompt injection.
IDEsaster: 30+ CVEs Across Every Major AI IDE
Pillar Security disclosed vulnerabilities enabling data theft and remote code execution in Cursor, GitHub Copilot, Windsurf, Roo Code, Zed, and JetBrains Junie. 100% of tested AI IDEs were vulnerable to prompt injection. Attack vectors include IDE settings manipulation, MCP tool abuse, and invisible Unicode in project config files.
Rules File Backdoor: Invisible Instructions in AI Config Files
Pillar Security demonstrated that attackers can inject hidden instructions into .cursorrules, copilot-instructions.md, and MCP configs using invisible Unicode characters and BIDI overrides. The AI follows these instructions silently, generating code with backdoors that appears legitimate to the developer reviewing it.
CurXecute: Remote Code Execution in Cursor via MCP Auto-Start
CVE-2025-54135 (severity 8.6). Creating a new .cursor/mcp.json file doesn't require user approval — but editing an existing one does. Attackers exploit this inconsistency to auto-start malicious MCP servers that execute arbitrary commands on the developer's machine.
MCP Protocol: Multiple Critical Vulnerabilities
Anthropic's own Git MCP server had three CVEs (CVE-2025-68145, -68143, -68144) enabling remote code execution via prompt injection. JFrog disclosed CVE-2025-6514 in mcp-remote (command injection). Palo Alto Unit 42 documented new prompt injection attack vectors through MCP sampling. When multiple MCP servers operate together, tool redefinition attacks can intercept and manipulate data flows.
Reprompt Attack: Single-Click Data Exfiltration from Microsoft Copilot
Varonis Security demonstrated an indirect prompt injection attack that enabled single-click exfiltration of sensitive data from Microsoft Copilot. The attack was responsibly disclosed and patched in January 2026's Patch Tuesday.
tj-actions/changed-files: Supply Chain Compromise (CVE-2025-30066)
One of the most widely used GitHub Actions was compromised. Attackers modified multiple version tags to reference a malicious commit, exposing CI/CD secrets in workflow logs across tens of thousands of repositories. CISA issued an emergency advisory.
Slopsquatting: Attackers Registering AI-Hallucinated Package Names
Threat actors are actively registering package names that LLMs commonly hallucinate on npm and PyPI. When developers use AI-generated code and install these dependencies, they unknowingly import malware. 205,000+ unique hallucinated names observed; 43% are repeated consistently across prompts, making the attack surface predictable.
Google Antigravity: Inherited Windsurf Vulnerabilities
Google acquired Windsurf for $2.4B to build Antigravity. Researcher Wunderwuzzi documented five vulnerabilities including data exfiltration and remote command execution via indirect prompt injection — issues disclosed in Windsurf as early as May 2025 but unpatched. Google initially classified a persistent backdoor as "not an issue" before re-opening the ticket.
The pattern is clear
AI coding tools are a new, actively exploited attack surface. Attackers are targeting the tools themselves (IDE vulnerabilities, MCP exploits), the supply chain (hallucinated packages, compromised actions), and the code they produce (prompt injection β malicious output). Traditional security tools don't monitor any of these vectors.
"AI coding tools exploded in 2025. The first security exploits followed." — Fortune, Dec 2025
AI Code Vulnerability Rates
Statistics from vendor security reports with disclosed methodology. These are not peer-reviewed academic studies, but they analyse real-world codebases at scale.
of AI-generated code fails security tests
100+ LLMs tested across 80 curated coding tasks. Introduced OWASP Top 10 vulnerabilities including injection, broken access control and cryptographic failures.
Veracode 2025 GenAI Code Security Report, July 2025 βJava security failure rate in AI-generated code
Highest language-specific failure rate. JavaScript: 45%, Python: 32%, C#: 38%. GenAI models chose an insecure method to write code in 73% of tasks where a secure alternative existed.
Veracode 2025 GenAI Code Security Report, July 2025 βspike in security findings in 6 months
Fortune 50 analysis across tens of thousands of repos, several thousand developers. Paradoxically, syntax errors dropped 76% in the same period - code compiles, but it's less secure.
Apiiro Fortune 50 analysis, Sept 2025 βincrease in privilege escalation paths
Same Fortune 50 dataset. AI-generated code introduces more complex, harder-to-detect vulnerability chains even as surface-level code quality improves.
Apiiro 2025 βof Copilot-enabled repos leak secrets (vs 4.6% baseline - 40% higher)
Annual analysis of secret exposure across repositories. AI assistants frequently generate placeholder credentials, API keys and tokens that persist into commits.
GitGuardian State of Secrets Sprawl 2025 βof AI-generated code contains design flaws or known vulnerabilities
Even when developers used the latest foundational AI models. The root problem: AI coding assistants don't understand your application's risk model.
Cloud Security Alliance, July 2025 β"Newer, larger models are not producing safer code." - Jens Wessling, Veracode CTO, July 2025
Academic Research on AI Code Security
Published papers from universities and research institutions. These undergo peer review and use controlled methodologies.
of Copilot-generated code contained vulnerabilities
1,689 programs tested across MITRE top-25 CWEs. One of the first large-scale academic studies of AI code security.
of GPT-3.5-turbo generated C programs identified as vulnerable
Large-scale comparison of LLMs using the PROMISE'23 dataset. 112,000 C programs generated and analysed. Compared GPT-3.5-turbo, GPT-4 and CodeLlama.
CWEs found across 7,703 AI-attributed files on public GitHub
Largest real-world analysis of AI-generated code in public repos. Used CodeQL static analysis. Files attributed to ChatGPT (91.5%), GitHub Copilot (7.5%), Amazon CodeWhisperer (0.5%) and Tabnine (0.5%).
Security degrades with iterative AI code generation
When developers use AI assistants iteratively (fix β re-generate β fix), security quality degrades over successive iterations. Each round introduces new vulnerability patterns while "fixing" the previous ones.
Georgetown CSET: AI-generated code may pose systemic cybersecurity risks
Policy brief from Georgetown University's Center for Security and Emerging Technology. Warns that widespread adoption of AI code generation without adequate security tooling creates systemic risk across the software supply chain.
Georgetown CSET, Nov 2024 (PDF) βAI vs Human Code: Quality Comparison
Direct comparisons of AI-generated and human-written code across real-world pull requests.
AI-generated code produces ~1.7Γ more issues than human-written code
Analysis of 470 open-source GitHub pull requests using CodeRabbit's structured issue taxonomy. AI-generated PRs had more defects across every major category: logic and correctness, maintainability, security and performance.
Key insight: The acceleration in code production comes with a consistent increase in defects across all quality dimensions. As CodeRabbit notes, this data helps explain high-profile production incidents in 2025 that implicated AI-generated code.
Slopsquatting: AI-Hallucinated Package Names
When AI assistants recommend packages that don't exist, attackers can register those names and distribute malware. This is called "slopsquatting" - a term coined by Seth Larson, Python Software Foundation Security Developer-in-Residence.
of AI-recommended packages don't exist
576,000 Python and JavaScript code samples analysed. One in five package recommendations pointed to non-existent libraries.
unique hallucinated package names observed
Across all models tested. These are plausible-sounding names that could easily be registered by an attacker on npm or PyPI.
Socket.dev analysis βof hallucinated packages are repeated consistently
When re-running the same prompts 10 times, 43% of hallucinated package names appeared every single time. 58% appeared more than once. This makes the attack surface predictable and exploitable.
Infosecurity Magazine, 2025 βWhy this matters: Unlike traditional typosquatting (misspelling lodash as lodassh), slopsquatting exploits AI hallucinations. The package names sound legitimate and "on-brand" for the ecosystem. A developer might not recognise them as fake. Trend Micro confirms this remains "a tangible supply-chain threat across all AI coding paradigms."
AI Coding IDE Vulnerabilities
It's not just the code AI writes - the tools themselves have critical security flaws. In December 2025, researchers disclosed over 30 vulnerabilities across the most popular AI coding IDEs.
IDEsaster: 30+ CVEs in AI Coding Tools (Dec 2025)
Pillar Security researchers discovered vulnerabilities enabling data theft and remote code execution across major AI IDEs. Attack vectors include prompt injection via project files, IDE settings manipulation and MCP tool abuse.
Rules File Backdoor Attack
Attackers inject hidden instructions into AI IDE config files (.cursorrules, copilot-instructions.md, MCP configs) using invisible Unicode characters and BIDI overrides. The AI follows these instructions silently.
Prompt Injection β Code Execution
Researchers demonstrated inserting attack payloads into coding rule files to hijack AI coding editors and execute arbitrary system commands. First extensive evaluation of project injection vulnerabilities in agentic AI editors.
"Your AI, My Shell" - arxiv, Sept 2025 βThe attack surface is the IDE itself. Microsoft patched 1,139 CVEs in 2025 alone - the second-largest year for CVEs by volume. AI coding tools are a new, rapidly expanding attack surface that traditional security tools don't monitor.
The Register: AI-authored code needs more attention, Dec 2025 βThe Cost of Fixing Bugs Late
The widely cited claim that bugs cost "100Γ more to fix in production" deserves careful attribution. Here's what the evidence actually says.
What's commonly claimed
The "100Γ cost multiplier" is widely attributed to the "IBM Systems Sciences Institute" and referenced in hundreds of articles, textbooks and vendor reports. The original source traces to Roger S. Pressman's 1987 textbook Software Engineering: a Practitioner's Approach, which cited "course notes" from IBM's internal training programme.
Researcher Laurent Bossavit investigated the provenance and found that the original data - if it exists - dates to before 1981 and has never been published as a formal study. The Register covered this in detail.
What the evidence does support
While the exact "100Γ" figure lacks a traceable primary source, the directional claim - that bugs cost significantly more to fix later - is supported by multiple lines of evidence:
- β’ IBM (via Black Duck/Synopsys): "The cost to fix a bug found during implementation is about 6Γ higher than one identified during design. The cost to fix bugs found during testing could be 15Γ higher." Source β
- β’ NIST 2002: Software bugs cost the US economy an estimated $59.5 billion annually. A third of that cost could be eliminated by improved testing. NIST Planning Report 02-3 β
- β’ Formal methods expert Hillel Wayne: "I think the body of research so far tentatively points in that direction, depending on how you interpret 'late-stage', 'bugs' and 'more expensive'."
Our position: Fixing vulnerabilities during coding is substantially cheaper than fixing them in production - the directional evidence is strong even if the exact multiplier is debated. With AI assistants generating code at 10Γ the speed of manual development, the volume of potential vulnerabilities entering codebases has increased dramatically. Edge-first detection tools like CodeMarine catch these before they compound.
OWASP Top 10 for LLM Applications (2025)
The OWASP Foundation published its updated Top 10 risks for LLM applications in 2025. Several of these directly relate to AI-generated code security.
Crafted inputs manipulate LLM behaviour - leading to unauthorised access, data breaches and compromised decision-making.
LLMs may reveal confidential data in generated outputs - API keys, credentials and PII embedded in training data.
Compromised training data, models or plugins introduce hidden risks. Includes slopsquatting and dependency confusion.
Failure to validate, sanitise or handle LLM outputs. Directly relevant to AI-generated code that gets executed without review.
LLMs generate false but confident outputs - including non-existent packages, incorrect security patterns and fabricated APIs.
Uncontrolled resource usage. In coding contexts: AI generating excessive code, dependencies or API calls without guardrails.
AI Coding Market Data
The scale of AI code generation - and the security gap it creates.
AI Regulatory Timeline
The regulatory landscape for AI-generated code is tightening rapidly. These dates are not aspirational - they're law.
What Industry Leaders Are Saying
"Newer, larger models are not producing safer code."
"More than 30 percent of new code at Google is generated by AI."
"AI coding tools exploded in 2025. The first security exploits followed."
"Package hallucinations remain a tangible supply-chain threat across all AI coding paradigms."
Further Reading
Deep dives into specific topics covered on this page.
SQL Injection Prevention in AI-Generated Code
Why f-strings aren't parameterisation and how to catch it.
Common AI-Generated Vulnerabilities
The patterns AI assistants get wrong most often.
Command Injection in AI Code
exec(), shell=True and why AI loves them.
Secure Coding Patterns
Essential patterns for secure AI-assisted development.
Methodology & Citation Policy
Every statistic on this page links to its primary source. We categorise sources by type:
Where a commonly cited statistic has questionable provenance (such as the "100Γ cost" claim), we note this explicitly and present the evidence honestly. We do not use statistics we cannot trace to a primary source.
If you find an error, have a better source or want to suggest additional research, please contact us.
Protect your team from these statistics
CodeMarine catches AI-generated vulnerabilities in under 50ms - before they reach your repo. Free 14-day trial.