Exclusive: Cursor taps new security partner in push to secure vibe coding
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Eniola Odetunde/Axios
Cursor, the popular AI coding assistant platform, has tapped a new security partner to reduce the risk that developers pull vulnerable or malicious open-source code into their projects, the company first shares with Axios.
Why it matters: As AI tools generate more code, security teams worry vulnerable or malicious components could spread faster than they can be reviewed or fixed.
Driving the news: Cursor is launching a new partnership with open-source security company Chainguard today that attempts to limit that risk by attempting to steer AI-generated code toward vetted open-source components.
- Cursor will embed Chainguard's products into its platform so that images and code libraries pulled into users' projects are less likely to include hidden malware or known vulnerabilities.
- Developers can turn on the Chainguard integration "through simple natural language instructions" and little or no additional setup, Cursor said in a press release.
Threat level: Hackers are increasingly targeting open-source software as a way to compromise not just one company, but potentially millions of systems at once.
- A recent wave of supply chain attacks involved hackers injecting malicious code into new versions of open-source libraries.
- "AI agents are making dependency decisions at a scale and speed no security team can manually review," Dan Lorenc, CEO and co-founder of Chainguard, said in a statement. "As organizations adopt agentic development, the biggest blocker is no longer how fast code can be generated — it's whether that code can be trusted."
Between the lines: Cursor — along with Anthropic's Claude Code and OpenAI's Codex — has unlocked a cornucopia of vibe-coded software.
- But that code still relies on open-source packages that can contain vulnerabilities or be compromised by attackers.
The bottom line: Security experts expect AI to eventually help find and fix vulnerabilities faster. But for now, companies are scrambling to make sure it doesn't introduce new ones.
