LOVABLE SECURITY REPORT JUNE 2026: THE AGENT-INTEGRATION LAYER GOES OPERATIONAL

Living report. This is the June 2026 report in progress, updated through the month as the period develops. Last updated June 8, 2026. For the week-by-week view, see the Vibe Coding Security Weekly.

In May 2026 the defender stack reorganized and three new attack classes got names: TrustFall, CLI-Anything, and DDIPE — all of them describing the same thing, the agent-integration layer, the config files and natural-language instruction sets that AI coding agents read and obey. May named the category. June is the month it went operational. Inside the first week, Sophos caught a threat actor using Cursor and Claude Opus 4.5 to build malware at scale, and the Miasma worm hit Microsoft, Azure, and Red Hat by planting the exact files — .cursor/rules, .claude/settings.json, .gemini/settings.json — that May’s TrustFall and DDIPE disclosures warned about. The agent became both the weapon and the target in the same seven days.

Is Your Lovable App Vulnerable?

Enter your deployed Lovable app URL to check for the vulnerabilities described in this report.

The Agent as Weapon: Sophos Catches Cursor + Claude Building Malware

In early June, Sophos X-Ops published “Pointing a Cursor at evading detection” — one of the first documented cases of a sophisticated threat actor using AI coding tools to systematically develop and test malware. The setup is the part that should land for any Lovable developer: a threat actor used the Cursor IDE with Claude Opus 4.5 as an orchestrating agent — “One agent using Claude Opus 4.5 was responsible for core operations and setting rules for the other agents.”

The output was a factory, not a sample: nearly 80 modules testing over 70 techniques to evade Sophos, CrowdStrike, and Windows Defender. The actor called it a “red team framework,” which Sophos assesses was “likely” cover to circumvent Claude’s malware guardrails. The line that matters: “AI accelerated tool development and testing, but humans drove the workflow.”

This is the same agent-orchestration pattern a Lovable developer uses for legitimate work — a lead agent directing sub-agents, holding context across sessions — pointed at EDR evasion. The productivity multiplier that makes vibe coding attractive is the same multiplier that makes a malware R&D cycle cheap. Model-side safety training is a speed bump, not a control.

The Agent as Target: Miasma Plants .cursor/rules Across 73 Microsoft Repos

On June 5, 2026, StepSecurity reported the Miasma worm — the Mini Shai-Hulud lineage — hit Microsoft again: 73 repositories across the Azure (49), microsoft (10), Azure-Samples (13), and MicrosoftDocs (1) GitHub orgs, including Azure/functions-action. GitHub’s automation disabled all 73 in a 105-second window.

What makes this a vibe-coding story is what got planted — five files, each aimed at a different AI coding agent or IDE:

• .claude/settings.json — a SessionStart hook for Claude Code; fires when the agent session opens.
• .cursor/rules/setup.mdc — a prompt-injection rule with alwaysApply: true; Cursor obeys it on every interaction.
• .gemini/settings.json — the Gemini CLI equivalent.
• .vscode/tasks.json — runOptions: { "runOn": "folderOpen" }; VS Code executes on open.
• .github/setup.js — a 4.6 MB obfuscated payload that harvests secrets from AWS, Azure, GCP, Kubernetes, and 90+ developer-tool configurations.

This is TrustFall and DDIPE in the wild, against named, high-value targets. The worm exploits no code vulnerability — it exploits implicit trust, the fact that a developer’s agent reads these files automatically the moment a repo is opened. For a Lovable developer who clones a community template, a starter repo, or any open-source dependency and lets Cursor or Claude Code index it, the exposure is identical: the agent runs the attacker’s instructions with the developer’s OAuth tokens and cloud credentials.

The Review Gap: RedHat’s npm Namespace Falls to Orphan Commits

On June 1, 2026, Wiz reported that at least 32 package releases under the @redhat-cloud-services npm namespace — cumulatively ~80,000 weekly downloads — were compromised. The route: a compromised Red Hat employee GitHub account pushed malicious orphan commits (no parent in branch history, so they bypassed code review) to two RedHatInsights repositories. The payload carried preinstall scripts that ran at install time and collectors that targeted GCP and Azure cloud identities — “all identities the infected machine has access to.” Wiz ties the code to the (Mini) Shai-Hulud malware open-sourced by the TeamPCP group, the variant that brands its repos “Miasma: The Spreading Blight.”

RedHat (Jun 1) and Microsoft (Jun 5) are not two stories — they are the same self-spreading campaign, four days apart, hitting two of the most trusted namespaces in enterprise software. For Lovable apps, which ship a package.json full of npm dependencies that the AI agent selected, the lesson is that “it came from a trusted org” is not provenance. The defense is install-time, not pull-request-time: disable install scripts, enable a version cooldown, and verify commit lineage rather than just the publisher.

Cursor SDK Goes Public Beta: The Surface Scales

The same week, Cursor’s TypeScript SDK (@cursor/sdk) opened to all users in public beta — agents that run on a local machine, on a sandboxed cloud VM, or on self-hosted workers, with subagents and hooks. DevOps.com’s framing is the security read: agents as deployable infrastructure. An SDK turns one-developer-in-an-IDE into fleets of programmatic agents running in CI and on schedules — exactly the surface Miasma targets: more agents, more auto-read config, more runtimes executing on folderOpen and SessionStart. Cursor’s own answer points the right way (self-hosted workers, the Security Review beta), but the structural fact stands: agents got easier to deploy at scale the same week a worm proved the agent runtime is a primary target.

What June 2026 Means for Lovable

The May report ended on an open question: does the platform-side defender wave get deep enough to shrink the exposure baseline, or does the agent-integration attack surface grow faster than the defender stack? The first week of June is a data point for the second answer. The attacks that May could only name — agent-config poisoning, instruction-set supply chain, the agent as a privileged executor of untrusted text — are now field-confirmed against Microsoft, Azure, and Red Hat, and demonstrated as an offensive force-multiplier by a real threat actor.

For Lovable developers, the practical shift is where the attack surface lives. It is no longer just your deployed app’s default-public setting and missing RLS (still the baseline — see the April report). It is now also the config your AI agent silently trusts on every repo it opens. SAST cannot see a poisoned .cursor/rules. SCA cannot see an orphan commit. The first scanner category that covers the agent-integration layer will own it; until then, the control is procedural.

What Lovable Developers Should Do Now

Updated for the June 2026 threat picture:

1. Treat agent-config files as executable code. Add .cursor/rules/, .claude/settings.json, .gemini/settings.json, and .vscode/tasks.json to your review and pre-commit inspection set. A directive that arrived in a cloned repo should never be obeyed unreviewed.
2. Block auto-execution triggers from untrusted repos — runOn: folderOpen, Claude SessionStart hooks, and alwaysApply: true Cursor rules. These are the exact lines that turned “clone a repo” into “run the payload” across 73 Microsoft repos.
3. Disable npm install scripts (npm config set ignore-scripts true) and enable a version cooldown (block versions younger than 48–72h). Both the RedHat and earlier Cline compromises executed at install time, in windows measured in minutes.
4. Rotate GCP/Azure credentials reachable from any CI runner that installed @redhat-cloud-services packages on June 1.
5. Verify commit lineage, not just the publisher, on dependencies from trusted orgs. RedHat fell to orphan commits with no branch-history parent.
6. Switch your Lovable project from public to private and enable RLS with row-ownership policies (auth.uid() = user_id). The agent-layer threats are new; the default-public baseline is still the most common breach.
7. Inventory where your AI agents execute — IDE, CI, cloud VM, scheduled SDK workers — and what config each one trusts. The Cursor SDK going GA means agent fleets, not single IDEs. Add them to your AI-BOM.
8. Run an end-to-end scan against your deployed app. The agent-layer defenses are procedural and the install-time ones fire before deploy; your live app still needs a runtime gate. Test the URL.

Related Resources

• Vibe Coding Security Weekly — June 8, 2026 — the week-by-week detail behind this report
• Lovable Security Report May 2026 — the month that named TrustFall, CLI-Anything, and DDIPE
• Lovable Security Report April 2026 — the 380K-app exposure baseline that hasn’t shrunk
• Your CLAUDE.md Is Attack Surface — the exact threat model Miasma’s planted config files exploit
• The Integration Layer Is the Real Security Gap — why install-time and config-time, not PR-time, is where these attacks land
• Lovable Security Scanner — run a full security scan on your Lovable app

Sources

• Sophos X-Ops — Pointing a Cursor at evading detection — early June 2026
• StepSecurity — Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled — June 5, 2026
• Wiz — Miasma: Supply Chain Attack Targeting RedHat npm Packages — June 1, 2026
• DevOps.com — Cursor’s New SDK Turns AI Coding Agents Into Deployable Infrastructure — June 2026
• Unit 42 (Palo Alto Networks) — The npm Threat Landscape: Attack Surface and Mitigations — updated June 2, 2026

This is a living report, updated through June 2026. Numbers are attributed to the sources listed; the Sophos report’s exact publication date is given as early June from secondary coverage, and the “red team framework” characterization is Sophos’s own assessment. VibeEval is not affiliated with Lovable, Sophos, Cursor, Anthropic, Microsoft, Red Hat, Wiz, StepSecurity, or any organization cited. Questions? Contact our team.