Two things happened in 2026, close enough together that they should change how you think about a bug that's been around forever.
First: a lot of the C# shipping today wasn't fully written by a person. Sonar's developer survey put AI-generated or AI-assisted code at roughly 42% of everything being written. Second: in November 2025, Anthropic reported shutting down what it described as the first large-scale cyber-espionage campaign run mostly by an AI agent. A state-sponsored group used Claude Code as an autonomous operator that handled an estimated 80–90% of the actual work, including finding and exploiting vulnerabilities in live targets across around thirty organizations.
Read those two together. AI is writing a lot of the code, and AI can now go looking for the holes in it at machine speed. The slow, expensive part of an attack used to be a human sitting there reading your code, hunting for a way in. That part is getting automated.
So the question isn't really "is my code clean" anymore. It's "where's the most likely hole, and did I close it." For .NET the data points at one answer, and it's nothing exotic.
What the studies actually found







