Straiker STAR Labs: what 1,700 agent exploits reveal about outcomes
A vendor threat report ran real exploits against production coding, productivity and first-party AI agents. The outcomes split sharply by deployment type — and the defensive lessons generalize.
What is this?
On July 14, 2026, the STAR Labs research team at Straiker published Volume I of its threat report. Researchers ran thousands of adversarial scenarios against production AI agents spanning three deployment categories — coding agents, productivity and browser agents, and custom first-party agents — and logged more than 1,700 successful exploits.
The report’s interest is less any single technique than its breakdown of what a successful attack actually accomplishes, sorted by where the agent runs. One caveat belongs up front: these are vendor-reported figures from a company that sells agent security, and they have not been independently replicated. Treat them as directional signal about the shape of the attack surface, not as settled industry statistics.
How it works
The report groups agents by deployment and reports a distinct outcome profile for each.
Coding agents — the tools that read and write code on a developer’s machine, with Cursor, Claude Code and GitHub Copilot named in scope. Of the attacks that succeeded here, 36% reached remote code execution on the developer’s own machine — the same machine that holds source code and cloud credentials. In one proof-of-concept, the team bought sponsored search ads to outrank a legitimate install page and harvest coding-agent credentials — a reminder that the install and onboarding path is itself an attack surface, not a how-to worth reproducing.
Productivity agents — the assistants and browser agents embedded in everyday work (the report names ChatGPT Enterprise, Microsoft 365 Copilot, Gemini for Workspace, Perplexity Comet and Claude for Chrome) that read email, documents, chats and the web on a user’s behalf. Across these, 91% of successful attacks ended in silent data exfiltration — no jailbreak, no phishing link, no malware. This is the classic “lethal trifecta” shape: private-data access plus untrusted content plus an outbound channel.
First-party agents — the ones an enterprise builds for itself on platforms such as Amazon Bedrock AgentCore, Microsoft Foundry and Google Gemini Enterprise. They run inside the corporate trust boundary, so compromising one yields the widest blast radius, reaching internal systems that coding and productivity agents never touch.
The report also flags a shared supply chain: it says roughly 24% of 17,651+ tracked Model Context Protocol servers carry at least one vulnerability, 28.6% of 130,667 cataloged tools are high risk on their face, and in one marketplace about 5% of published Skills were malicious or high risk. Finally, it introduces two coinages — AiPT (AI-Powered Persistent Threats: attackers that are themselves agents, running offensive toolkits) and LAVA (Language-Augmented Vulnerabilities in Applications: the semantic layer an agent reasons over) — under a four-layer, three-agent-type framework.
Why it matters
The outcome split is the useful part. Coding-agent compromise is loud and destructive (code execution on a credential-bearing machine); productivity-agent compromise is quiet (data leaves with no artifact left behind). That quiet failure mode is precisely what traditional tooling misses: endpoint detection, firewalls and vulnerability scanners inspect code, endpoints and packets, not the semantic layer where an agent decides to act on a malicious instruction embedded in the content it reads. A single poisoned MCP server or Skill, the report notes, reaches every agent type at once — so supply-chain hygiene is not optional. None of this depends on believing the exact percentages; the structural lesson holds regardless of whether the numbers replicate.
Defenses
- Treat the agent install and update path as supply chain. Pin official domains, verify install sources, and be wary of sponsored search results impersonating a tool’s install page.
- Apply the lethal-trifecta rule to productivity agents. Avoid combining private-data access, untrusted content and an outbound channel in one session; constrain or review egress from agents that browse and read mail.
- Enforce least privilege and hard trust boundaries for first-party agents. Segment so a single compromised agent cannot pivot enterprise-wide; scope credentials narrowly.
- Govern the MCP and Skill supply chain. Allowlist vetted servers and tools, review tool descriptions for injection and rug-pull patterns, and re-verify after updates.
- Add semantic-layer observability. Log tool calls together with the context and reasoning that triggered them; classic EDR will not surface a silent exfiltration decision.
- Assume a detection gap for quiet exfiltration. Monitor data egress from productivity agents specifically, since successful attacks there tend to leave no other trace.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| Report published | STAR Labs Threat Research, Vol. I | 2026-07-14 | Vendor-reported; not independently replicated |
| Coding agents | Cursor, Claude Code, GitHub Copilot | 2026-07-14 | 36% of successful attacks → RCE on dev machine |
| Productivity agents | ChatGPT Enterprise, M365 Copilot, Gemini for Workspace, Perplexity Comet, Claude for Chrome | 2026-07-14 | 91% of successful attacks → silent exfiltration |
| Supply chain | MCP servers / tools / Skills | 2026-07-14 | ~24% of servers with ≥1 vuln; 28.6% of tools high-risk |
The takeaway is not the leaderboard of percentages but the pattern beneath it: agent risk is shaped by deployment context, the quietest outcomes evade the tools most enterprises already run, and one poisoned dependency crosses every agent boundary at once.
Figures here are drawn from the vendor’s press release and report microsite and are reported as vendor findings, not independently verified. No proof-of-concept payload is reproduced.