Every 2026 AI agent incidentOne page. Updated chronologically.

The 2026 AI agent security incidents share a common shape. The same class of mistake keeps repeating across different vendors, different file formats, and different parts of the stack.

Four months in: credential leaks from two major coding agents, a command-injection CVE, an unaudited MCP ecosystem delivering software to millions of machines without code-signing, and at least one demonstrated prompt-injection attack that walked off with private GitHub data. GitGuardian's 2026 "State of Secrets Sprawl" report found that AI-service token leaks rose 81% year-over-year and that AI-assisted commits leak secrets roughly twice as often as hand-written ones.

This page collects the incidents in order. Bookmark it, share it with teammates who are treating this as a niche research problem.

What to know in 60 seconds

• Jan 2026: Cursor .cursor/ directory leak disclosed by Knostic. Agent state files persisted to a predictable repo-local path that most .gitignore templates did not cover.
• Jan 2026: The Register reported that .claudeignore had a partial bypass. Files you explicitly excluded could still reach the context window under certain conditions.
• Feb 2026: Check Point published CVE-2025-59536, a command-injection bug in how Claude Code processed project configuration files.
• Feb 2026: Knostic scanned npm and found Claude Code's settings.local.json in roughly 1 in 13 packages. The file captured environment variables, including secrets, from every agent session.
• Feb 2026: Anthropic acknowledged the env-var capture and shipped a patch. The patch covers new writes. Files already on disk were not cleaned up automatically.
• Early 2026: OX Security reported approximately 7,000 MCP servers in the wild with about 150 million downloads total. None require a code signature or provenance attestation.
• Early 2026: Researchers including Snyk disclosed a prompt-injection attack against MCP GitHub integrations that could exfiltrate private repository data.

January 2026: two leaks before February

The Cursor .cursor/ directory (Knostic, late Jan 2026)

Knostic disclosed that Cursor writes per-project state to a .cursor/ directory inside the repo. The directory held session data, model preferences, and -- depending on the version and workflow -- environment-adjacent context. Like the Claude Code disclosure that followed it three weeks later, the failure mode was not a sophisticated exploit. .cursor/ was simply absent from standard .gitignore templates. Developers committed it without realizing what it contained.

The disclosure landed quietly. Most commentary framed it as a Cursor-specific quirk. It was the first signal of a cross-vendor pattern: every major coding agent writes something to the repo that standard ignore files were not built to exclude.

The .claudeignore partial bypass (The Register, Jan 2026)

The Register broke a separate story in January: .claudeignore, Claude Code's project-level content filter, had a partial bypass. Developers who added sensitive paths to .claudeignore expecting them to be excluded from the agent's context window found that certain file access patterns could still reach the model. Anthropic confirmed the behavior and began working on a fix.

A security control developers were relying on did not behave as documented. That gap, and the public attention it drew to Claude Code's file handling, set the stage for Knostic's February disclosure to land in front of a much larger audience.

February 2026: the disclosure month

CVE-2025-59536 (Check Point, early Feb 2026)

Check Point published a command-injection bug in Claude Code's handling of project configuration files. The CVE number is 2025-59536 (the CVE was requested against 2025 infrastructure, published in 2026). An attacker who could write to a Claude Code project file -- for instance, via a compromised dependency or a malicious pull request -- could cause Claude Code to execute arbitrary commands when the developer opened the project.

Data-as-code in a trusted config file: classic injection, just wearing a new coat. The attack surface covers any workflow where Claude Code opens projects from sources the developer does not fully control -- open-source contributors, anyone reviewing PRs from external forks.

The settings.local.json npm leak (Knostic, mid-Feb 2026)

Claude Code writes settings.local.json to .claude/ in the project root at the start of every session. The file holds permissions, trusted tool preferences, and model configuration. It also captured environment variables from the agent's process at session start. Any key exported in the developer's shell -- STRIPE_SECRET_KEY, OPENAI_API_KEY, DATABASE_URL -- could land in the file.

npm publish ships .claude/settings.local.json because the path is not in npm's default ignore list and was not in the .gitignore starters that most projects use. Knostic scanned the npm registry in February and found the file in approximately 1 in 13 packages. The packages were live. The registry does not require removal.

GitGuardian's 2026 "State of Secrets Sprawl" report put numbers to the backdrop: AI-service tokens (OpenAI, Anthropic, Cohere, and similar) leaked 81% more often year-over-year, and AI-assisted commits leaked secrets at roughly twice the rate of hand-written code. The settings.local.json pattern was already in the data before Knostic named it.

Anthropic patches env-var capture (late Feb 2026)

Anthropic acknowledged the behavior and shipped a patch in late February. The new version of Claude Code no longer records environment variables into settings.local.json. The patch applies to new writes only. Files already on disk in repos that had not been opened since the patch shipped still held whatever they captured. Developers had to audit and clean up themselves.

Vendors confirm, patch new behavior, and stop there. The deployed artifact population stays exposed. If you published an npm package between November 2025 and late February 2026 while using Claude Code in that repo, the file may still be in the registry tarball.

March -- April 2026: researchers count the MCP ecosystem

MCP supply chain: 7,000 servers, no signatures (OX Security, early 2026)

OX Security published a report in early 2026 counting the MCP (Model Context Protocol) ecosystem: approximately 7,000 servers available across registries, GitHub repos, and first-party integrations, with a combined download count approaching 150 million. None of the major distribution channels require a code signature or a provenance attestation.

Adding an MCP server to your Cursor or Claude Code configuration grants that server access to your agent's full tool-call surface. A malicious or compromised MCP server can read files, make network requests, and execute shell commands. The only check between you and that outcome is whether you read the server's source before installing it. Most developers do not.

The OX Security numbers are scale context, not an incident count. The incidents are already happening, but disclosure is lagging. In 2016, npm looked roughly the same: fast growth, no vetting, implicit trust. The retrospective was not kind.

MCP GitHub prompt-injection data heist (Snyk + researchers, early 2026)

Snyk and independent researchers demonstrated a prompt-injection attack against MCP GitHub integrations. The attack works like this: an attacker creates a GitHub issue or PR description that contains injected instructions directed at an AI agent. When a developer uses an MCP-enabled coding agent to review the issue, the agent reads the injected content, interprets the instructions as legitimate tool directives, and exfiltrates private repository data -- files, secrets, commit history -- to an attacker-controlled location.

The attacker does not need access to the developer's machine. They need the developer to ask an agent to review attacker-controlled content. What data leaves depends on the agent's permissions and which MCP servers are connected.

Researcher disclosures demonstrated several specific repositories as vulnerable. Mitigations are incomplete: prompt-injection defenses at the model level help, but do not fully block the attack, and MCP servers have no standard sandboxing model.

What we keep seeing

Two patterns show up in every incident so far.

Agents inherit ambient trust. Every coding agent starts a session with the same file-system permissions and environment variables as the developer who launched it. That means every secret in the developer's shell is available to the agent, to every MCP server the agent calls, and to every file the agent writes. The agent is no more careful with those secrets than the developer is -- and the developer's shell has been accumulating exported variables for years.

State files reach artifacts. Claude Code's settings.local.json in npm packages is the documented example. .cursor/ in git commits is another. Agent log files in Docker images. Context exports in CI artifacts with 90-day retention. The tool writes something to disk inside the repo. The publishing pipeline does its job.

Supply chain is where the leverage concentrates. The MCP ecosystem at 150 million downloads with no code signing is a supply-chain problem. CVE-2025-59536 is also a supply-chain problem: a compromised project file executes arbitrary code when the developer opens the project. The Knostic disclosures point the same risk the other direction: a trusted tool leaks into an artifact a downstream consumer installs.

Four significant disclosures landed in roughly eight weeks, January to late February 2026. Anthropic patched one behavior. The others remain in the "researchers demonstrated this, mitigations are incomplete" state. The MCP ecosystem continues to grow without a governance layer. Expect the disclosure pace to hold through Q2.

What people are getting wrong about this list

"These are AI-specific attacks." Command injection in a config file is CVE-1999-era material. Credential leaks via state files that land in published artifacts are a variant of the secret-in-source problem that git-secrets was built to address in 2013. Prompt injection is the one genuinely new surface. The rest are old attacks against developers who have not yet built muscle memory around "what does this tool write to disk?"

"Vendors will patch this." Vendors patch the specific behaviors that get disclosed and cause embarrassing headlines. The underlying model -- agents that inherit full ambient trust and write state files into the repo -- is the default configuration users expect, so it is staying. The Anthropic patch for settings.local.json env-var capture left the file on disk. It just holds less data now. The next version of this incident will involve a different field in a file that still exists.

"This is the Claude Code problem." Knostic disclosed the Cursor issue three weeks before the Claude Code one. OX Security's MCP report covers the entire ecosystem. GitGuardian's numbers span AI-assisted commits across platforms. No single vendor owns this, and patching one vendor's behavior does not change your exposure to the others already installed in the same repo.

"Prompt injection is the main risk." Credential harvesting and supply-chain insertion pay better and have thinner defenses. Prompt injection is easier to demo in a conference talk. Stolen credentials fund operations. The OX Security MCP data -- 150 million downloads, no code signing -- describes an ecosystem where anyone who wants to insert malicious code into a developer's agent toolchain has roughly 7,000 distribution vectors and no gate to pass through. That is a supply-chain story.

"The $82K Google Cloud bill was an AI agent security incident." The documented $82K bill (widely circulated, 2024) was resource overconsumption by an agent that autonomously spun up compute. The Replit incident from mid-2024, where an agent deleted a production database during a migration, belongs in the same bucket. Both are real. Both belong in a different list: agents that made costly mistakes while authorized to act. The 2026 incidents are adversarial; the 2024 incidents were capability-without-guardrails. Separate categories.

Questions to ask before adding a new agent or MCP server

Before adding a new agent or MCP server to a project:

- [ ] What does this tool write to disk inside the repo?
      (Check docs. If docs are absent, grep the source.)
- [ ] Is that path in .gitignore, .npmignore, .dockerignore?
- [ ] Does the tool inherit my full shell environment?
      (Test with: env | grep -i key | grep -v PATH)
- [ ] Can I scope its environment to only what it needs?
- [ ] Who publishes this MCP server, and can I read the source?
- [ ] Does the server have a published CVE history or disclosure policy?
- [ ] What file-system and network permissions does this MCP server request?
- [ ] If this server is compromised, what can it read from my agent session?
- [ ] Do I have a prepublishOnly / CI step that blocks publishing if state files exist?
- [ ] Have I run git log --all -- '.claude/*' '.cursor/*' on repos that use this tool?

For each new agent tool installed this month:
- [ ] Run: grep -r "agent-state-dir" .gitignore (adapt name to tool)
- [ ] Pull and inspect the last published tarball of any npm package from this repo

Re-run this checklist whenever a new agent, new MCP server, or new coding tool enters the project. The exposure changes every time the toolchain does.

What this means for your stack

Agents read ambient state, write it to disk, and the artifacts that ship from your repo carry that state along. The minimum mitigations are the ignore-file additions and the publish-time guards in the checklist above. Past that, the durable fix is a runtime model where secrets are not ambient in the first place.

That runtime model looks like this: a local broker holds secrets in an encrypted vault, agents request access at the call site, the broker injects values into specific child processes at exec time, and an append-only audit log records each grant. The agent reads a reference, not the value. State files the agent writes hold references. A vendor that ships a new version of settings.local.json with a bug finds nothing worth taking because the file never held a real value.

hasp is one working implementation. curl -fsSL https://gethasp.com/install.sh | sh, hasp setup, connect a project, hand the next session a reference instead of a key. Source-available (FCL-1.0), local-first, macOS and Linux, no account.

The lesson holds regardless. The 2026 incident list will keep growing. The category of "coding agent inherits everything in your shell and writes some of it to a repo-local file" will keep producing disclosures until the default runtime model changes. The incidents are predictable; which vendor ships the next one is not.