AI Coding Safety Report 2026

Real incidents across Claude Code, Cursor, GitHub Copilot, and Windsurf.
Not a product pitch. A public resource for every developer using AI coding tools.

100+
Documented Incidents
4
Major Tools Affected
14.3%
AI Code Has Vulnerabilities
$50K+
Documented Financial Loss

Why This Report Exists

78% of Fortune 500 companies now use AI-assisted development. But 81% have no visibility into the safety of AI-generated code or the actions AI agents take on their behalf (Aikido, 2026).

This report documents real incidents — not theoretical risks — across the four most widely-used AI coding tools. Every incident links to its primary source. No incidents are fabricated or hypothetical.

This is a tool-agnostic resource. We maintain it because developers deserve to know the risks before they press "auto-approve."

Executive Summary

Key Finding 1: File deletion is the #1 incident category across ALL tools. Cursor, Claude Code, and Copilot (via agents) have all produced confirmed cases of unrecoverable data loss — some affecting entire system directories.
Key Finding 2: Credential exposure is systematic, not accidental. AI-generated code contains hardcoded secrets at a 40% higher rate than human-written code (BuildMVPFast, citing GitGuardian). The problem is architectural, not behavioral.
Key Finding 3: Simon Willison's "Lethal Trifecta" — tool access + private data access + untrusted input — is present in every major AI coding tool. CVE-2025-62353 (Windsurf) demonstrated all three failing simultaneously.
Key Finding 4: Token/cost drain is an AI-coding-specific risk category with no equivalent in traditional development. Users report $200/month plans consumed in 15-19 minutes (Claude Code #42796, 1,700+ reactions).
🟠 Claude Code (Anthropic)

90 documented incidents tracked in our Incident Tracker. Categories: token drain (35), production failures (14), file deletion (13), credential leaks (9), config bypass (9), data loss (5), hook bypass (5).

50 GB permanently deleted by rm -rf

Claude ran rm -rf to "clean up" a project directory. Entire directory wiped. No recovery possible.

#49129 · April 2026 · Critical
$1,446 unauthorized financial transfer

A Claude-generated script executed financial transactions without user authorization.

#46828 · March 2026 · Critical
CVE-2026-21852: API key exfiltration via project settings

Malicious project configuration could exfiltrate API keys to an external server.

CVE-2026-21852 · April 2026 · Critical
$200/month Max plan consumed in 15-19 minutes

1,700+ reactions. Entire daily token quota drained in a single short coding session.

#42796 · March 2026 · 1,700+ reactions
Auto-compact death spiral: 15+ compactions overnight

Auto-compact entered an infinite loop, consuming the entire token budget while the user slept.

#51088 · April 2026 · High

Browse all 90 Claude Code incidents

🟣 Cursor (Anysphere)

Multiple confirmed file deletion and code reversion incidents. The Cursor team acknowledged three root causes in March 2026.

System-wide file deletion

"Cursor deleted files across my entire system." A cleanup operation cascaded beyond the project scope, deleting files system-wide.

Cursor Forum #158406 · 2026 · Critical
Code destroyed 7 times

"Cursor destroyed my code/full app, now 7th time." Repeated, unrecoverable code destruction across multiple projects.

Cursor Forum #52371 · Critical
Repository deleted during indexing (Windows 11)

Repository path appeared deleted or renamed during codebase indexing. Data loss incident on Windows 11.

Cursor Forum #157534 · 2026 · High
March 2026 code reversion bug (confirmed by team)

Cursor silently reverted code changes. Three root causes confirmed: Agent Review conflict, Cloud Sync race, and Format On Save producing different file states. Unknown number of users affected.

VibeCoding analysis · March 2026 · High
Agent deletes critical files without confirmation

A 16MB database dump file was deleted without explicit user confirmation during a "cleanup" suggestion.

Cursor Forum #147361 · High
GitHub Copilot (Microsoft/GitHub)

Critical vulnerabilities involving repository takeover, credential exfiltration, and systematically elevated secret leakage rates.

CVE-2025-59145 (CamoLeak): Private source code exfiltration — CVSS 9.6

Attackers could exfiltrate API keys and private source code via GitHub's own trusted image proxy, bypassing Content Security Policy without executing any malicious code.

Legit Security · CVE-2025-59145 · CVSS 9.6
RoguePilot: Repository takeover via prompt injection in GitHub Issues

Attackers could craft hidden prompt injection in GitHub Issues that Copilot would automatically process, leaking GITHUB_TOKEN to an external server. Full repository takeover possible.

Orca Security · February 2026 · Critical
2,702 hardcoded API keys found in AI-generated code

Analysis found 2,702 hardcoded secrets in Copilot-generated code. Repositories using Copilot had 40% higher secret leakage rates than traditional development.

BuildMVPFast · 2026 · High
"Comment and Control" attack affecting multiple AI agents

Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent all vulnerable to credential exfiltration via crafted GitHub Issue comments.

Techzine · 2026 · High
🔵 Windsurf (Codeium)

Path traversal vulnerability demonstrating the "Lethal Trifecta" — tool access, private data, untrusted input all failing simultaneously.

CVE-2025-62353: Path traversal enables data exfiltration

File access had no directory boundaries. System-level access was available without permissions. Prompt injection could trigger both without social engineering. Simon Willison described this as the "lethal trifecta" for AI applications.

Vibe Graveyard · CVE-2025-62353 · Critical

Cross-Tool Analysis

Risk CategoryClaude CodeCursorCopilotWindsurf
File Deletion13 incidents5+ reportsVia agentsVia path traversal
Credential Leak9 incidents + CVENot primary2 CVEs + 40% higher rateCVE path traversal
Token/Cost Drain35 incidentsSubscription modelAPI cost spikesSubscription model
Production Damage14 incidentsCode reversionRepository takeoverData exfiltration
Code ReversionVia compactionConfirmed March 2026Not primaryNot reported

Common Patterns

  1. Auto-approve is the #1 risk amplifier. Every tool offers some form of "auto mode." Every tool has incidents where auto-approve enabled catastrophic actions.
  2. File deletion is the most common catastrophic incident. All four tools have confirmed cases of unrecoverable file or project deletion.
  3. "Clean up" is the most dangerous AI intent. When an AI decides to "clean up" or "organize," it frequently deletes files the user needs.
  4. Overnight/unattended sessions multiply risk. The worst financial and data losses occur when nobody is watching.
  5. The AI doesn't know what it doesn't know. AI tools delete SSH keys, production databases, and credentials because they don't understand the consequences — only the syntax.

Recommendations (Tool-Agnostic)

  1. Never run auto-approve without guardrails. If your tool supports hooks/guards, install them before enabling auto mode.
  2. Back up before long sessions. A simple git stash or branch checkpoint every 30 minutes prevents catastrophic loss.
  3. Don't let AI touch production. Use separate credentials, separate environments. Never give an AI tool production database access.
  4. Monitor token/cost usage. Set budget alerts. Don't leave sessions running overnight without spending limits.
  5. Read the code before committing. AI-generated code has a 14.3% vulnerability rate (Stanford/MIT study). Review diffs.
  6. Keep credentials out of the workspace. Use environment variables, secrets managers, and .gitignore. Never store keys in files the AI can read.

Methodology

This report compiles incidents from: GitHub Issues (anthropics/claude-code), Cursor Community Forum, security research publications (Orca Security, Legit Security, Aikido), CVE databases, developer forums, and news outlets (The Register, SecurityWeek, Techzine). Only incidents with verifiable primary sources are included. We do not fabricate or hypothesize incidents.

Last updated: April 21, 2026. This is a living document — incidents are added as they're reported and verified.

Contribute

Know of an incident we missed? Experienced something yourself? This report is open to contributions.

Submit an incident via GitHub Issue

We welcome incidents from any AI coding tool — Claude Code, Cursor, Copilot, Windsurf, Cline, Devin, or others. Include a link to the primary source (forum post, GitHub Issue, CVE, news article).