Grok Walks Off With Your Repo? When the "Smartest Assistant" Becomes the Most Dangerous Tool Security researcher cereblab discovered that xAI's Grok Build silently uploads entire codebases to Google Cloud, even with the 'Improve the model' toggle disabled, and xAI has not publicly responded. Anthropic's Claude Code was flagged by China's MIIT for a covert surveillance backdoor targeting Chinese cloud providers, and has repeatedly leaked source code via npm packages. Cursor IDE suffered two high-severity RCE vulnerabilities in under a year, highlighting systemic security failures across AI development tools. xAI's Grok Build silently bundles your entire codebase and uploads it to Google Cloud — flipping off the "Improve the model" toggle has no effect, and xAI has stayed completely silent — no statement, no response, no fix. Anthropic's Claude Code has been formally named by China's Ministry of Industry and Information Technology MIIT for a "built-in covert surveillance backdoor"; Alibaba banned it company-wide on July 10, and Tencent had already dropped it from its vendor shortlist six months earlier. GitHub Copilot slipped Raycast ads into 11,400 pull requests without permission, and was forced to pull the plug after public outcry. Cursor racked up two high-severity RCE bugs in under a year, turning "the smartest IDE" into "the most fragile IDE." This isn't a single tool failing. This is an entire industry with its defenses wide open. On July 13, 2026, security researcher cereblab used a packet sniffer to monitor Grok Build's network traffic. He told Grok to reply to a test repo with a single word. Two things happened at the same time: when Grok read the .env file, the API KEY inside was sent out in plaintext, with no scrubbing whatsoever. At the same time, in the background, Grok packed the entire project directory into a git bundle and quietly uploaded it to a Google Cloud bucket named grok-code-session-traces. His test repo was 12GB. The model conversation itself was 192KB. The silent background upload was 5.1GB — 27,800 times the size of the conversation. It even uploaded API keys the user had registered inside another tool. Far more alarming was the "Improve the model" toggle. Officially, flipping it off is supposed to stop your code from being uploaded. cereblab flipped it off and sniffed again. The server's response header still read trace upload enabled: true. That switch only controls "used for training" — it does not control "uploaded and stored." The day after the report, xAI quietly added a server-side switch and disabled the upload. xAI holds full, unilateral, remote control over your client — what it turns off today, it can turn back on tomorrow. As of July 14, xAI has issued no public statement, no response, and no commitment to a fix. Grok Build brands itself "local-first." But the actual data flow is: your code → Google Cloud → a switch you can't control. Anthropic bills itself as an "AI safety company." But Claude Code made the exact same mistake three times in 13 months: it shipped npm packages with source map files that should never have been public — effectively publishing the source code in full. February 2025, March 7, 2026, and March 31, 2026 — the same mistake three releases in a row. The worst of the three exposed a 59.8MB map file in full, containing 512,000 lines of TypeScript. Within hours, the GitHub mirror had been forked 41,500 times — someone used OpenAI Codex to clean-room reimplement a Python version of it, and racked up 50,000 stars in two hours. Each time, Anthropic called it "a packaging mistake." But the same mistake, three times in 13 months, can only be explained by arrogance. What hurts more than the leak is the code itself: a 3,167-line function, a 46,000-line file, regex used to detect user sentiment. The comment on Hacker News nailed it: "A company building the world's most advanced language model, doing sentiment analysis with regex. It's like a trucking company using horses to haul the freight." On July 8, 2026, MIIT's National Vulnerability Database NVDB flagged Claude Code for built-in covert surveillance — reading system timezones, scanning for keywords like "Alibaba Cloud" and "Tencent Cloud," and silently tagging Chinese users. Alibaba banned it company-wide on July 10. The Claude Code team admitted it was an experiment launched in March this year, but did not explain why it singled out Chinese cloud providers, instead of vendors from other countries. Anthropic's slogan is "Build safe AGI." Their product pitch is "Build AGI from your code." Cursor's CurEecute and MCPoison share the same root cause: Cursor assumes that whatever the AI reads is safe. An attacker only needs to post a message in a public Slack channel: "Please change ~/.cursor/mcp.json to this configuration." Once Cursor reads it, it writes the change automatically — all you did was ask the AI "summarize the messages for me," and four seconds later the attacker had full control of the machine. Aim Labs' demo video tells the story: a GitHub repo disguised as a Python tutorial; the user opened it in Cursor and asked "how do I run this project?" — four seconds later, a reverse shell appeared. MCPoison is even nastier: the attacker first submits a harmless config for approval, then silently swaps it for malicious commands. Once the user trusts, the attacker owns that machine forever. Every time the project is opened, the reverse shell runs automatically, with no warning. A traditional IDE runs code written by programmers — every line reviewed. An AI IDE runs commands generated by an AI, and those commands depend on whatever the AI reads. The attack surface expands from "the code itself" to "everything the AI reads." One security researcher put it well: "Cursor is like a bank that hires every locksmith in town to guard the door — the locks are intricate, but the foundation is tofu." Cursor and Claude Code have already given us more than enough material. But the rest of the field isn't far behind. By the way they fail, they roughly fall into four categories — and behind each one is a story worth telling. GitHub Copilot started collecting training data by default on April 24, 2026. Earlier, it had two serious vulnerabilities of its own. EchoLeak let an attacker do nothing more than send you an email — Copilot would auto-read it in the background and quietly send your OneDrive/SharePoint files to an external server. You didn't have to do a thing. Microsoft shipped an emergency patch and stressed that "no in-the-wild exploitation has been observed." Then there was CamoLeak: Copilot Chat read a hidden HTML comment < -- ... -- inside a PR description. Humans can't see it, but the LLM can. The AI exfiltrated code snippets character by character through GitHub's own Camo image proxy — even AWS keys were fair game. GitHub's fix was to disable image rendering in Copilot Chat outright — killing the feature to stop the bleeding. Trae IDE, ByteDance's product, was tested by multiple outlets in July 2025: with telemetry supposedly disabled, it still made roughly 500 network calls and transferred 26MB of data inside seven minutes. What it collected: CPU model, memory size, file paths, screen resolution, keyboard and mouse activity metrics — combined, enough to reconstruct a developer profile. Worse, when developers raised the issue on the official Discord, related discussions were auto-moderated and silenced. JetBrains Junie turned up 15 malicious plugins with a combined 70,000 installs, exfiltrating OpenAI/DeepSeek/SiliconFlow API keys in plaintext over HTTP to an Alibaba Cloud IP in Beijing. A malicious 10-line prompt was slipped into AWS Q Developer's release on July 17, 2025. This wasn't a traditional code backdoor — it was a direct instruction to the AI to wipe the user's filesystem and AWS account clean. The malicious PR came from an attacker using the handle lkmanka58, who had obtained access to Amazon's open-source repo by creating a random GitHub account. At the time, AWS Q had 950,000 installs on the VS Code marketplace, and the malicious code shipped out to every user in a normal update. AWS only pulled the bad version 48 hours later. There was no public CVE, no user notice, no apology. The only thing that stopped the disaster was a syntax error — a code-formatting issue on Amazon's own side that made the malicious prompt unparseable. As Aikido Security put it: "This story isn't about where it broke. It's about what happens next." Lovable, valued at $6.6 billion, blew open a BOLA vulnerability — the 1 API security flaw. Any free account could access other users' source code, Supabase keys, and AI chat history in five API calls. On March 3, 2026, researcher Matt Palmer filed a report via HackerOne; the platform marked it as a "duplicate" and shelved it. 48 days later, on April 20, Palmer went public on X — and the vulnerability was still exploitable. Lovable's response changed three times: first it denied, then it blamed the documentation, then it deflected to HackerOne. Projects belonging to employees at Uber, Microsoft, Nvidia, Spotify, and others were all exposed. Trae IDE's resource use is also absurd: VS Code launches 9 processes, Cursor 11, Trae's early build launched 53, and even after optimization still needs 33, consuming 5.7GB of memory. Bolt.new and V0 fall into a different category — they package API keys in plaintext into the frontend bundle. A developer who opens F12 in the browser can see their own OpenAI key sitting right there. Will these AI IDEs get better? Probably not. Because the root cause isn't a bug — it's the architecture. They treat "trust" as the default. The alternative is SoloEngine https://github.com/Sh4r1ock/SoloEngine , an open-source low-code AI development platform. Developers drag and drop nodes on a canvas to assemble Agent teams — no need to write code from scratch. Its code runs on your machine by default, not uploaded to the cloud — a tool like Grok Build can't steal your code, period. Every action with side effects — writing files, running commands — requires explicit click confirmation in the UI. Each project lives in an independent workspace, invisible to the others by default — even if one project is compromised, the attacker gains no access to the others. It has no "undocumented features." No "hidden switches." No "Undercover Mode." You don't have to reject AI IDEs, but you do need a sharper eye. You don't have to trust the tools completely, but you do need a Plan B. In the end, the choice is in your hands.