
Key facts.
- The Amazon Q extension was compromised to ship a wiper prompt into a developer tool (AWS bulletin).
- Antigravity's agent ran a destructive command from inside the IDE, wiping a drive (OECD.AI).
- Injection across agentic coding editors ran 41 to 84%, with Initial Access at 93.3% (AIShellJack, 2025).
Why are dev agents a sharper risk than most?
Because developer environments are trusted and powerful. They hold credentials, reach production, and run arbitrary commands, so an agent operating there inherits all of it. On the generation side, insecure code the agent writes can reach production and become a vulnerability long after the session ends. You are exposed at both moments: when the agent writes and when the agent runs. Both need controls, code review of agent output and least-privilege isolation of the execution environment.

Treating a dev agent like an editor vs. like a privileged actor
| Like an editor | Like a privileged actor |
|---|---|
| Output merged with light review | Output security-reviewed before merge |
| Runs with full dev privileges | Runs sandboxed, least privilege |
| Destructive commands ungated | Destructive commands gated |
VibeModel's Pattern Intelligence Layer applies to both axes: it flags generated output that matches insecure patterns and execution actions that match destructive ones, before either lands. You review the code and isolate the environment; we catch the vulnerable commit and the dangerous command. A coding agent is the most powerful actor in your pipeline, so treat it like one.
Frequently asked questions
Will a more capable coding model write safer code and resist these attacks?
A coding agent writes code and runs privileged, and a more capable one stays exposed: AIShellJack found injection 41 to 84%, an incident anyway. (arXiv:2509.22040)
Do I have to review every line an agent writes?
Review with the same rigor as a human pull request, weighted toward security-sensitive code. Agent output is not pre-trusted.
Should dev agents reach production?
Rarely, and only through gates. The Amazon Q and Antigravity incidents show what direct privileged access in a dev context can do.

