Hey readers! 👋

This week's AI coding landscape is buzzing with security concerns, new tools, and some fascinating data on whether AI agents are actually better at code review than humans. Spoiler: the numbers are interesting. We've also got a clever workflow where AI agents do your coding while you sleep, and a hot take on why MCP isn't dead after all. Let's dig in.

The theme this week is unmistakable: as AI writes more code, securing that code is becoming the central challenge. Multiple stories converged on this from different angles.

The 2 failures with AI coding that are creating security bottlenecks highlights a core tension - organizations are deploying AI coding tools without expanding their security review capacity, which just shifts the bottleneck downstream. - GitLab via The New Stack

Cursor open-sources its fleet of security agents that continuously monitor code changes and block vulnerabilities before they reach production. Built on Cursor's new Automations platform, agents like Vuln Hunter and Invariant Sentinel use semantic reasoning rather than pattern matching. They're releasing the templates and Terraform configs for anyone to use. - The New Stack

Meanwhile, Brian Vermeer from Snyk dropped a sobering stat at DevNexus: after scanning over 4,000 AI skills, one in seven contained at least one critical vulnerability. Trusted skills can silently update and offload credentials, making prompt injection a real threat. The takeaway? Stop installing skills without reading what's inside them.

NanoClaw and Docker are teaming up to isolate AI agents inside MicroVM sandboxes, adding a second layer of isolation for autonomous agents that can install packages, build images, and access sensitive data. - The New Stack

Speaking of agents and security, if you're curious about AI agents operating in complex environments, SpaceMolt is an interesting experiment - a free MMO built entirely for AI agents to explore, trade, and battle across a virtual cosmos. It's a fun sandbox for thinking about how autonomous agents interact in unpredictable settings.

Augment shared production data showing their AI code review agent fixed 1.03 bugs per PR compared to 0.54 for human reviewers, with comparable true-positive rates (45% vs 50%). They published a detailed breakdown of how they built their agent, emphasizing that context beyond the PR, careful system design, and rigorous eval loops are the three essential ingredients. - @augmentcode

Anthropic launched its own AI code reviewer, but some developers are pushing back, citing high costs and concerns that it undermines the role of senior engineers. - Business Insider

GitHub Copilot now offers code review directly in the CLI, letting developers add Copilot as a PR reviewer with simple commands or the /review slash command. No browser switching required. - Techgenyz

Greptile evaluated NVIDIA's Nemotron 3 Super for code review and found it delivered actionable results in just 12.5 seconds with only two tool calls, despite having just 12B active parameters. It caught a critical CORS regression in a 19-file diff. - Greptile Blog

CodeRabbit introduced Pre-Merge Checks that automatically evaluate every PR against both built-in validations and custom rules written in plain English, catching hygiene issues before human reviewers even look. - CodeRabbit

OpenAI's Codex continues to expand as a multi-agent coding platform, and they've explained why Codex Security skips SAST reports entirely, opting instead to start from repository architecture and threat models. Their reasoning: static analysis can't determine whether validation logic actually enforces intended constraints. - OpenAI

OpenAI is also offering free Codex access to open-source maintainers through a new program that includes six months of ChatGPT Pro, API credits, and Codex Security scanning. A smart move as AI-generated PRs flood open-source projects. - DeveloperTech

Codex works better when you set it up correctly is a practical guide arguing that most quality issues are really setup issues. The key: create an AGENTS.md file, use structured prompts (goal + context + constraints + done-when), and start with read-only planning before granting automation permissions. - JP Caparas

Jamon Holmgren's Night Shift workflow is one of the more creative approaches we've seen. During the day, you write detailed specs. At night, AI agents autonomously implement, test, and review code. By morning, you review the results. - Jamon Holmgren

The EU's Cyber Resilience Act treats AI-generated code identically to human-written code, making manufacturers legally responsible for everything. With 96% of developers doubting AI code correctness, automated verification is becoming a compliance necessity, not just a nice-to-have. - Security Bloggers Network

CyberNews surveyed the top 6 AI dev tools for 2026, covering Tabnine, GitHub Copilot, ChatGPT Codex, Cursor, Claude Code, and Replit. The key insight: tool choice should be driven by editor fit, privacy needs, and team size rather than hype. - @CyberNews

That's a wrap for this week. The security conversation around AI coding is maturing fast, and the tooling is keeping pace. Stay sharp out there.

Made with ❤️ by Data Drift Press. Hit reply with questions, comments, or feedback - we read every one!