Tuesday night I had two windows open. One was Microsoft's July patch list, long enough that I stopped scrolling and started estimating. The other was a write-up of coding agents getting talked into running attacker scripts against the developer's own machine. Same night. Same technology, working both sides of the fight.
That is the week. AI found a record pile of bugs, and AI was the bug. Five stories, one failure underneath all of them, and it is not the one everybody reaches for. Let me lay out what happened, then make the argument, then tell you where the argument runs out -- because it does.
The patch record is a trap
Microsoft shipped the largest Patch Tuesday in the program's history on the 14th. Count only what shipped that day and it is about 570 CVEs, 59 of them critical. Count the broader July release and it is 622, 62 critical. Tenable landed at 569. Pick your methodology; every one of them set a record. (Google separately fixed hundreds of Chromium bugs the same month. The volume is everywhere.)
Microsoft had warned volume like this was coming. In a July 9 blog post, EVP Pavan Davuluri said customers should expect more security updates per release as the company leans harder on AI-assisted vulnerability discovery; VP of engineering Tom Gallagher floated the same thing in May. Nobody claimed all 570 came out of a machine -- human researchers, incident responders, and Microsoft's own detection teams are all in that count -- but the trend line is Microsoft's own.
Two of those were zero-days already under active exploitation before a fix existed:
- CVE-2026-56155 -- Active Directory Federation Services privilege escalation, credited to Microsoft's own Detection and Response Team, which suggests it surfaced in an incident rather than a lab.
- CVE-2026-56164 -- SharePoint Server escalation that skips authentication on a critical function, exploited unauthenticated over the network. Microsoft rated it Moderate (CVSS 5.3), which undersells the profile.
The third zero-day, CVE-2026-50661, is a BitLocker bypass: publicly disclosed before a fix shipped, but it needs physical access and Microsoft rates exploitation unlikely, so it is a slower clock than the other two. And CVE-2026-56164 does not stand alone -- the same release separately fixed CVE-2026-55040, the first half of a different SharePoint chain that Rapid7's Stephen Fewer says can reach unauthenticated RCE once the second, still-embargoed half ships (Microsoft's patch for that is expected in August). Patch the on-prem farms now and go looking.
So the number is a trap in both directions. Treat 570 as 570 emergencies and you burn your triage team on noise. Treat it as noise and you miss the two already in someone's network. Microsoft's own response is the tell: they cut the recommended deferral window for quality updates to under three days, framing it as AI-era speed -- bugs get found and exploited faster now, and released patches get analyzed faster too. Microsoft is not claiming attackers run its exact pipeline, only that attackers are adopting AI too. The machine that finds bugs faster runs for both teams, even when the machines are not identical.
The other side of the ledger
On July 8, Wiz published GhostApproval and the AI Now Institute published Friendly Fire, the same day, and together they broke the trust boundary every agentic coding tool is quietly betting on.
GhostApproval is a symlink attack, which should make you laugh and then wince. Symlink attacks are a 1990s Unix problem. Here is the 2026 version: a coding assistant reads a file, reasons out loud that it is a symlink pointing at a sensitive path, and writes to it anyway. The approval dialog names only the harmless-looking file. The agent writes to the dangerous target. The human is still in the loop -- the loop is just showing them the wrong thing. Amazon classified its version as a high-severity pre-authorization write and shipped CVE-2026-12958. Cursor issued CVE-2026-50549 and fixed it in v3.0. Google fixed it in Antigravity. When Wiz published, Augment and Windsurf were still open. Current Claude Code builds resolve symlinks now.
Friendly Fire is the one that should change how you buy. Boyan Milanov and Heidy Khlaaf went after the workflow half the industry wants to automate: point the agent at an untrusted third-party codebase and ask it to review the dependency and patch what it can. That sounds defensive. It also means the agent ingests untrusted source, docs, and scripts, and their exploit needs no hooks, no skills, no plugins, no MCP server, no malicious config file. It does require Claude Code in auto-mode or Codex in auto-review -- the autonomy setting that hands command approval to the agent instead of you. Then it is just a prompt injection sitting in ordinary repo content, a README pointing at a plausible security script, and when the agent is asked to do security testing, that text persuades it the script is part of the job.
A model update alone cannot fix this. The models still cannot reliably separate the code they are reading from the instructions they are meant to follow.
That is the authors' argument, and it is the load-bearing claim of this whole piece. It is not a bug with a ticket. It is how these agents work today, and any tool whose entire safety story is "the model will notice" inherits it.
The awkward one: Claude Code
China's government-run National Vulnerability Database flagged Claude Code versions 2.1.91 through 2.1.196 as containing a "backdoor" -- a mechanism it said transmits user location and identity to remote servers without consent -- and told developers to uninstall. Anthropic pushed back, denying an espionage backdoor and calling the disputed functionality an anti-abuse experiment; a Claude Code engineer said an anti-distillation steganography mechanism was removed in version 2.1.198 on July 1. That is the geopolitics, and it gets one careful paragraph, because I cannot adjudicate whose framing is right and neither, probably, can you. What the public record establishes is narrow: anti-distillation logic existed and was removed. It does not settle whether that logic was a backdoor or transmitted what China alleged. Hold both.
You do not need to believe China's characterization to see the enterprise problem the dispute exposes: regardless of intent, you need a clear, inspectable account of what a privileged development tool collects, where it sends it, and why. A privileged agent whose egress you do not observe and whose telemetry you cannot enumerate is a trust boundary you are extending blind. The fix is not to pick a side in a geopolitical fight. It is to treat any agent with this much reach the way you would treat any other privileged process on your network.
Meanwhile, the Russians used none of it
While everyone watched the machines, a coalition of Western agencies told you what is actually being exploited. On July 13, NSA led a joint advisory -- AA26-194A, with CISA, the FBI, DC3, the other Five Eyes countries, and a raft of European partners -- warning that Russian state actors are hitting critical infrastructure through public-facing network gear. Not zero-days. Known, already-patched CVEs and elementary configuration failures: default SNMP community strings, weak passwords, exposed management interfaces, Cisco Smart Install left switched on. The headline recommendation is router hygiene, which tells you the attack is a hygiene failure and an unpatched-known-bug failure, not a novel exploit.
Pair it with the campaign CISA and the FBI have kept live since the spring: actors tied to Russian intelligence phishing people out of their Signal and WhatsApp accounts. The encryption is not broken. Nobody cracked Signal. They get the target to hand over a verification code or link an attacker-controlled device, and walk around the crypto by owning the account. Thousands of accounts, with the targeting aimed at officials, military personnel, political figures, and journalists.
Here is the Russian playbook, and the documented version of it needs no AI at all: unpatched known bugs, bad config, and a convincing lie. It works because it targets the trust that sits outside the model, outside the patch, outside the CVE.
What this does NOT solve
Here is where I get honest, because the trust-model argument has real limits and I would rather name them than have you find them in the comments.
It does not buy you time on the exploited zero-days. Redesigning trust boundaries is a quarters-long project. CVE-2026-56155 and CVE-2026-56164 need patching this week. "Design for the blast radius" and "patch the thing that is on fire" are not substitutes, and if you read this as permission to slow-walk the two exploited bugs, you read it wrong.
Least privilege contains Friendly Fire. It does not stop it. Constrain what a compromised agent can spend and you shrink the damage. You do not stop the injection -- the agent still runs the script. You are deciding how bad it gets, not whether it gets fooled. That is worth a lot. It is not immunity.
"Observable egress" is easy to write and hard to run. That is the Claude Code lesson turned back on us. Be honest: can you actually enumerate what your coding agent's binary phones home right now? Most shops cannot. Saying "monitor the egress" is not the same as having done it.
GhostApproval breaks "human in the loop" as a control. If the approval surface shows the benign path while the agent writes to the dangerous one, your human is approving a lie. Oversight is not a control when the oversight surface is compromised. Any security story that leans on "a person will catch it" has to reckon with that.
And the 570-CVE triage problem is one AI made for defenders and does not solve for them. You still need human judgment to find the two that matter in the pile. The discovery engine that inflated the count does not hand you the priority list.
The through-line
Line them up. A record patch release from a discovery pipeline Microsoft is increasingly running on AI. An agent that wrote to a symlink it had just identified as dangerous. A dev tool carrying disputed code its users could not evaluate in advance. A critical-infrastructure router exposed by a known bug or a default nobody changed. A Signal account lost to a convincing lie. Different altitudes, one failure: trust extended past the point where the surrounding controls can defend it.
The AI stories feel new. They are not. They are the oldest failure in the field -- misplaced trust -- wearing this year's clothes and carrying a bigger blast radius, because an agent holding your credentials and a symlink bug can do more damage faster than a 1998 attacker with the same bug ever could. The novelty is the scale, not the mechanism.
Patching keeps you alive. It does not fix the trust model.
Which is why "patch faster" is the wrong takeaway, even in the week of the biggest patch drop on record. Patch the two exploited zero-days today -- not up for debate. But faster patching is a treadmill, not a strategy: you cannot out-run a discovery engine that runs for the attacker too, a model update alone will not teach an agent to reliably tell code from instructions, and no patch fixes a default credential the vendor left you to change. Those need the other move -- least privilege that actually bites, credentials the agent cannot quietly spend, network paths you can see, an admin interface that was never on the internet in the first place.
Your turn
I will put the disagreement on the table so you can take a swing at it: I think "patch faster" is a treadmill and the real work is redesigning trust boundaries. Tell me I am wrong.
Two concrete questions, because I actually want the answers. If you run coding agents in auto-mode against code you did not write, what is watching their egress right now -- and if the honest answer is "nothing," is that a tooling gap or a you-should-not-be-doing-that? And for the 570-CVE weeks: how are you triaging when the list is that long, now that AI is going to make every month look like this?