IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Ai ghost hand server room software supply chain breach night
#
Data Protection
#
Cloud Security
#
Application Security

Developers’ AI agents pose rising software supply risks

Fri, 6th Feb 2026
Author image
By Kaleah Salmon, News Editor

UpGuard reports that many developers are granting AI coding agents broad access to their machines and code repositories, increasing the risk of supply-chain compromise and data exposure.

The cybersecurity company analysed more than 18,000 AI agent configuration files from public GitHub repositories and found that about one in five developers had enabled high-risk actions without human oversight.

AI coding agents operate within developer workflows, with permissions similar to those of other automation tools. Depending on the configuration, an agent can read and write local files, download content from the web, and run commands.

The research focused on settings that allow actions to run without approval prompts. UpGuard described the findings as a governance issue, noting that security teams do not always know what access developers have granted to new tools.

"Security teams lack visibility into what AI agents are touching, exposing, or leaking when developers grant vibe coding tools broad access without oversight," said Greg Pollock, UpGuard's Director of Research and Insights.

High-risk permissions

The analysis highlighted four configuration areas that could amplify mistakes or malicious activity. The first was file deletion: one in five developers granted unrestricted deletion, which could allow an agent to recursively delete a project or system.

The second issue was saving code changes. Nearly 20% of the files reviewed allowed an agent to automatically save changes to the main code repository, bypassing the human review step many teams rely on to catch security issues and unintended changes.

UpGuard warned this could give attackers a path to insert malicious code into production environments or open-source projects. A compromised workflow can also spread beyond a single workstation if it reaches shared repositories or build pipelines.

The third set of findings involved arbitrary code execution. UpGuard identified permissions that would let an agent run code in common environments: 14.5% of configuration files allowed arbitrary execution for Python, and 14.4% did so for Node.js. If an attacker can influence an agent via prompt injection, they could gain control of a development environment.

"Despite the best intentions, developers are increasing the potential for security vulnerabilities and exploitation. This is how small workflow shortcuts can escalate into major supply chain and credential exposure problems," Pollock said.

MCP lookalikes

The research also examined risks associated with the Model Context Protocol ecosystem, in which developers connect agents to external servers and tools. UpGuard reported extensive use of lookalike servers, which can enable impersonation of trusted technology brands.

In registries where users search for these tools, UpGuard found that for every server from a verified vendor, there were up to 15 lookalikes from untrusted sources. The pattern mirrors typosquatting in software package ecosystems, where small naming differences can trick users into downloading the wrong component.

The findings come as organisations expand AI use in software development. Many teams now treat AI agents as standard tooling for writing, reviewing, and refactoring code, and some use them for documentation, dependency updates, and routine automation. These practices can reduce manual work, but they also increase the number of systems and credentials exposed to automated processes.

Security teams have begun adding controls around AI use in development, including restrictions on data sharing and guidance on approved services. UpGuard's findings suggest configuration files and permission models are becoming another control point, alongside secrets management and dependency governance.

Development access controls already span operating system permissions, repository roles, and continuous integration settings. AI agents add another layer because they can act on a developer's behalf and, in some cases, interact with external services. Where configurations allow agents to operate without approval prompts, teams may not spot risky actions until an incident is underway.

UpGuard sells cyber risk management software, including a product called Breach Risk, which it positions to identify misconfigurations and overly broad permissions. The company also says the product provides visibility into AI-generated changes, access, and data flows.

UpGuard said the patterns it observed could slow incident response because security teams may not have a clear picture of agent access. The company also said they increase the likelihood of credential and data exposure as more developers adopt AI-driven coding workflows.

Related stories
Dematic automates Bio-Rad’s Singapore cold chain hub
PharmaCare boosts ANZ warehouse efficiency with WMS revamp
Dell names Richard McLaughlin APJC regional president
Asus targets 30% APAC notebook share with AI, partners
AMD expands Ryzen AI chips, mini-PC & gaming CPU push

Top stories

Entuity V23.0 boosts remote monitoring with agents
ADLINK unveils Xeon edge GPU servers for AI vision
SentinelOne debuts lifecycle platform for AI security
Tech salaries level off as burnout & AI skills surge
Exclusive: Celonis' Kerry Brown warns CIOs to 'remove chaos'