Attack success rates against AI coding assistants exceed 85% when attackers use adaptive strategies. That number comes from a January 2026 meta-analysis of 78 studies, and it should make anyone using Cursor, GitHub Copilot, or Claude Code pay closer attention to what their agent is actually doing.
Prompt injection is when someone hides instructions inside content that an AI reads - a code comment, a README file, a dependency description - and the AI follows those hidden instructions instead of yours. For coding agents that can read files, write code, and run terminal commands, the stakes are higher than a chatbot giving a wrong answer. A successful injection could mean data exfiltration or arbitrary code execution on your machine.
The Numbers Are Ugly
A systematic analysis by researchers Narek Maloyan and Dmitry Namiot cataloged 42 distinct attack techniques across five categories: input manipulation, tool poisoning, protocol exploitation, multimodal injection, and cross-origin context poisoning. They evaluated 18 defense mechanisms from prior work and found most achieve less than 50% mitigation against sophisticated attacks.
Cursor's Auto mode - where the agent acts with minimal user confirmation - showed the highest vulnerability at 83.4% attack success in certain scenarios. Even pairing Cursor with Claude 4 or Gemini 2.5 Pro only brought that down to 69.1% and 76.8% respectively. GitHub Copilot performed better, though "more resistant" is relative when the baseline is this bad.
Separately, Snyk's ToxicSkills research in February 2026 found that 36% of AI agent skills on the ClawHub marketplace contained security flaws. Of confirmed malicious skills, 91% used prompt injection as their attack vector. They identified 1,467 skills with at least one security flaw and 534 with critical issues. Eight confirmed malicious skills were still publicly available at the time of publication.
What Defenses Actually Work
The honest answer: nothing works reliably yet. The research community and companies like OpenAI and Anthropic largely agree that prompt injection cannot be fully prevented with current approaches. That leaves defense-in-depth as the only viable strategy - layering multiple imperfect defenses so an attacker has to beat all of them.
The most promising architectural approach is CaMeL, which enforces strict separation between control logic (your instructions) and untrusted natural language inputs (everything else the agent reads). Instead of hoping the model can distinguish between "real" instructions and injected ones, CaMeL makes that distinction at the system level.
Model-based detection tools like PromptArmor show less than 1% false positive and false negative rates on the AgentDojo benchmark, but benchmarks and real-world attacks are different things. The PALADIN framework proposes five protective layers based on the OWASP Top 10 for LLM Applications, combining input validation, output filtering, privilege minimization, and behavioral monitoring.
What You Should Do Today
The practical takeaway for anyone using AI coding agents: treat them like a junior developer with full filesystem access. Review what they produce. Run agents in sandboxed environments when possible. Be skeptical of auto-approve modes that let agents execute without confirmation - Cursor's Auto mode vulnerability numbers make a strong case for keeping a human in the loop.
The broader pattern here is familiar from every other area of software security. The tools shipped fast, the attack surface is large, and the defenses are catching up. The researchers' recommendation is blunt: treat prompt injection as a first-class vulnerability requiring architectural fixes, not ad-hoc filtering. That is probably right, but it means the agents we are all using today are running ahead of the security work needed to make them safe.