AI Coding News

March 22, 2026

Key Signals

  • A security audit of 22,511 AI coding agent skills across four public registries uncovered 140,963 security findings, exposing a critical gap between publish-time scanning and runtime execution. Mobb.ai found that 27% of skills contain shell command execution patterns, one in six embeds curl | sh remote code execution, and ~15% reference consent bypass mechanisms. Confirmed attack vectors include API traffic hijacking that silently reroutes Claude Code conversations to third-party servers in China, hidden HTML prompt injections invisible to developers but readable by agents, and steganographic Unicode payloads. The structural problem — skills execute with full developer permissions but no post-install verification or cryptographic signing — mirrors the npm/PyPI supply chain crises of earlier years, now replaying in the agent ecosystem. [1]

  • Cursor acknowledged that its new Composer 2 model, marketed as "frontier-level coding intelligence," was built on top of Moonshot AI's open-source Kimi 2.5 — a Chinese model backed by Alibaba and HongShan. Community researchers spotted the Kimi model ID in Composer 2's code before Cursor disclosed the base. VP of developer education Lee Robinson stated that only ~25% of compute came from the Kimi base, with the remainder from Cursor's own continued pretraining and reinforcement learning. Co-founder Aman Sanger admitted it "was a miss to not mention the Kimi base in our blog from the start." The episode highlights both the power of open-source model ecosystems and the geopolitical sensitivities around U.S. AI companies building on Chinese foundations. [2]

  • AI coding agent costs have reached approximately $380 per day ($91,200 annualized), approaching a full developer salary in some markets, while the industry simultaneously debates making AI tokens a standard component of engineering compensation. At QCon London, Thoughtworks Distinguished Engineer Birgitta Böckeler reported that a fresh Claude Code session already consumes 15% of context capacity before any prompt is entered, and that per-line generation costs have ballooned from $0.12/100 lines in 2024 to current levels. Separately, Nvidia CEO Jensen Huang proposed at GTC that engineers should receive ~$250K/year in token budgets alongside salary, though critics warn that token allowances don't vest, don't appreciate, and could suppress cash compensation growth. [3][4]

  • The AI coding landscape has shifted decisively from "vibe coding" to autonomous agent swarms operating unsupervised for 20+ minutes, with weekly security incidents driven primarily by prompt injection attacks. Böckeler's QCon London keynote traced the year-long evolution from monolithic rules files to granular skill-based context engineering with lazy loading, and from interactive prompting to headless CLI modes connected directly to CI/CD pipelines via GitHub Actions. She proposed a risk framework based on mistake probability, impact, and detectability, and warned that agent-based experiments from Cursor and Anthropic may not translate to enterprise software where tasks are less well-defined. [3]

  • OpenCode v1.3.0 shipped with GitLab Agent Platform support and Node.js runtime compatibility, marking a significant expansion of the tool's platform reach. The GitLab integration enables automatic discovery of workflow models from GitLab instances, with models accessing opencode's local tools over WebSocket. Node.js support means opencode can now run outside the Bun ecosystem, broadening adoption potential. Additional highlights include git-backed session review for inspecting uncommitted changes and branch diffs directly in the editor, multistep OAuth/SAML authentication, and an interactive update flow with version skip capability. [5]

  • AI is reshaping programming language adoption patterns: TypeScript has overtaken Python and JavaScript as GitHub's most-used language, and strongly typed languages are systematically winning because AI tools generate more reliable code with them. A 2025 academic study found that 94% of LLM-generated compilation errors were type-check failures, giving typed languages a structural advantage in the AI coding era. TypeScript grew 66% YoY to 2.6M developers, Luau grew 194%, and even shell scripting in AI projects surged 206%. No AI-first language has achieved meaningful adoption, suggesting the gravitational pull of existing ecosystems remains dominant. [6]

AI Coding News

  • Cursor's Composer 2 was discovered to be built on Moonshot AI's Kimi 2.5, an open-source Chinese model, sparking debate about transparency and geopolitics in the AI coding tool market. An X user identified Kimi model IDs in Composer 2's code before any official disclosure. Cursor's Lee Robinson confirmed the open-source base but emphasized that 75% of compute came from Cursor's own training, producing "very different" benchmark performance. Moonshot AI confirmed an "authorized commercial partnership" via Fireworks AI and expressed pride in the open-source ecosystem's functioning. The $29.3B-valued startup, reportedly exceeding $2B in annualized revenue, acknowledged the disclosure failure and committed to crediting base models in future releases. [2]

  • AI tokens are emerging as a potential fourth pillar of engineering compensation, with Nvidia's Jensen Huang proposing ~$250K/year token budgets at GTC and startups already integrating inference costs into offer packages. VC Tomasz Tunguz reported that top-quartile engineers at startups now receive $375K salary plus $100K in tokens, meaning roughly one dollar in five is compute. The trend is driven by agentic tools like OpenClaw, which can consume millions of tokens per day running autonomous agent swarms. The New York Times documented a "tokenmaxxing" trend with engineers at Meta and OpenAI competing on internal token consumption leaderboards. However, critics note that token budgets don't vest or appreciate, and could give companies a way to inflate apparent compensation while holding cash and equity flat. [4]

  • Mobb.ai's audit of 22,511 AI coding agent skills documented specific attack vectors including API traffic hijacking, prompt injection via HTML comments, and steganographic Unicode payloads across skills.sh, ClawHub, GitHub, and Tessl registries. A confirmed case involved a GitHub skill that overrides the Anthropic API endpoint, silently routing all Claude Code conversations — prompts, code context, and responses — to Zhipu AI's BigModel platform in China using a hardcoded third-party API token. The study found 159 skills with hidden HTML comment prompt injections and 127 skills with invisible zero-width Unicode characters consistent with binary steganographic encoding. The report recommends that agent tool vendors sandbox skill execution so skills don't inherit full developer permissions, and calls for an industry-wide npm audit equivalent for the skill ecosystem. The timing follows February's "ClawHavoc" incident where 341 malicious skills were discovered on ClawHub. [1]

  • Thoughtworks' Birgitta Böckeler delivered a QCon London keynote arguing that AI coding's most significant advance of the past year is context engineering — not model improvements — and that security is "not a technical problem; it's a conceptual problem." She traced the evolution from monolithic rules files to Anthropic's granular skills with lazy loading, which slow context window consumption but still see a fresh Claude Code session at 15% capacity before any user input. Practitioners are running three or more parallel agent sessions, and Claude Code's Agent Teams feature provides an accessible entry point for multi-agent orchestration. Böckeler cited Simon Willison's "lethal trifecta" — untrusted content exposure, private data access, and external communication ability — as the framework for understanding agent security risk, noting that an attacker used a crafted GitHub issue eleven days before the talk to extract secrets via an unsupervised agent. [3]

  • AI is not driving new programming language creation but instead shifting developer adoption toward existing strongly typed languages, with TypeScript now GitHub's most-used language at 2.6M developers. GitHub's Andrea Griffiths states that "the gravitational pull of existing ecosystems is enormous" and no AI-first language has achieved meaningful adoption. Chris Lattner is building Mojo for AI hardware programming, while Rust is emerging as "the unlikely engine of the vibe coding era" because its strict compiler acts as "a guardrail that forces the LLM to prove its logic is sound." IEEE Spectrum's Stephen Cass raised the speculative possibility of AI generating compiler-ready modules without human-readable source code, but experts remain skeptical — "No engineering team is going to deploy code they can't inspect." [6]

Feature Update

  • OpenCode v1.3.0 ships GitLab Agent Platform, Node.js runtime support, git-backed session review, and multistep authentication. The GitLab Agent Platform integration enables automatic discovery of workflow models from GitLab instances, with models using opencode's local tools over WebSocket. Node.js support adds a dedicated entry point and build script alongside the existing Bun runtime, broadening deployment options. Git-backed session review lets users review uncommitted changes and branch diffs directly within the editor, with the desktop review tree synchronized to the selected source. The release also delivers multistep OAuth/SAML authentication, an interactive update flow with version skip capability, desktop improvements, terminal error recovery, and provider/model fixes for xAI, Vertex AI, and vLLM. Sixteen community contributors participated in this release. [5]