AI Coding Tool Security Vulnerabilities and Development Ecosystem Issues
코딩/개발 | Wed Jul 15 2026 00:00:00 GMT+0000 (Coordinated Universal Time) | 5 sources
Security concerns emerged across development tools, including code leakage from Grok Build, a Cursor zero-day, and Secure Boot bypass vulnerabilities.
Analysis
[SpaceXAI Grok Build] was found uploading users' entire codebases without authorization [1]
- Grok Build CLI uploaded entire repositories to Google Cloud
- Included files marked as do-not-open and deleted secrets
- SpaceXAI disabled the feature after Cereblab's report
- Elon Musk promised full deletion of existing data
[Cursor] disclosed a 0day vulnerability that automatically executes code when opening a repository [4]
- Automatically runs a malicious git.exe placed at the repository root on Windows
- Arbitrary code execution possible without user click or approval
- Mindgard first reported in December 2025
- unpatched for over 6 months
- Vulnerability persists despite over 197 new versions released
[Microsoft Secure Boot] was found to have a 13-year-old bypass issue due to unrevoked shim signatures [2]
- ESET identified 11 signed flawed shims dating back to 2013
- UEFI Secure Boot can be bypassed even by novice hackers
- Threatens both Windows and Linux users
- Enables persistent bootkit installation surviving OS reinstalls or disk replacements
[GitHub Dependabot] introduced default package cooldown to prevent supply chain attacks [3]
- Waits at least 3 days after a new release before creating PRs
- Applied as default without separate configuration
- Security updates open immediately without delay
- Also to be applied in GHES 3.23
[HTMX and Go] shared interactive web app development patterns based on server-side rendering [5]
- Combines Go's html/template with HTMX
- Patterns for structuring partial and full-page HTML responses
- Methods for handling redirects and errors when using HTMX
- Achieves app-like UX while minimizing JavaScript
Sources
- [1] SpaceXAI’s Grok programming tool was uploading its users’ entire codebase to cloud storage - The Verge AI
- [2] Microsoft’s Secure Boot has been broken for a decade and no one noticed until now - Ars Technica AI
- [3] Dependabot version updates introduce default package cooldown - Hacker News
- [4] Cursor 0day: When Full Disclosure Becomes the Only Protection Left - Hacker News
- [5] How I use HTMX with Go - Hacker News