When AI Ships the Code, Who Owns the Risk with Varun Badhwar and Henrik Plate

Jan 8, 2026

Varun Badhwar, co-founder and CEO of Endor Labs, and Henrik Plate, Principal Security Researcher at Endor Labs, dive into the complexities of AI-assisted software development. They discuss the rapid adoption of MCPs and the emerging security risks, including malicious packages that exploit agents. The conversation highlights the shortcomings of traditional AppSec and argues for embedding security in IDEs. With insights from their 2025 State of Dependency Management report, they stress the importance of integrating security from the start to combat rising vulnerabilities.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Functionality Often Masks Insecurity

AI coding agents produce functionally correct code but often replicate insecure patterns learned from public code.
Only a small fraction of agent-generated code is both functional and secure, creating hidden security debt.

INSIGHT

MCP Adoption Exploded

The open source community rapidly created thousands of MCP servers, demonstrating fast adoption.
Rapid growth raises trust and vetting challenges for organizations picking MCPs from public repos.

ADVICE

Vet MCPs Before Use

Do vet MCP servers before integrating them: check licenses, dependencies, and use of sensitive APIs.
Treat MCPs like any third-party code and enforce verification and runtime guards.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

AI isn’t quietly changing software development… it’s rewriting the rules while most security programs are still playing defense. When agents write code at machine speed, the real risk isn’t velocity, it’s invisible security debt compounding faster than teams can see it.

In this episode, Ron Eddings sits down with Varun Badhwar, Co-Founder & CEO of Endor Labs, and Henrik Plate, Principal Security Researcher of Endor Labs, to break down how AI-assisted development is reshaping the software supply chain in real time. From MCP servers exploding across GitHub to agents trained on insecure code patterns, they analyze why traditional AppSec controls fail in an agent-driven world and what must replace them.

This conversation pulls directly from Endor Labs’ 2025 State of Dependency Management Report, revealing why most AI-generated code is functionally correct yet fundamentally unsafe, how malicious packages are already exploiting agent workflows, and why security has to exist inside the IDE, not after the pull request.

Impactful Moments
00:00 – Introduction
02:00 – Star Wars meets cybersecurity culture
03:00 – Why this report matters now
04:00 – MCP adoption explodes overnight
10:00 – Can you trust MCP servers
12:00 – Malicious packages weaponize agents
14:00 – Code works, security fails
22:00 – Hooks expose agent behavior
28:30 – 2026 means longer lunches
33:00 – How Endor Labs fixes this

Links
Connect with our Varun on LinkedIn: https://www.linkedin.com/in/vbadhwar/

Connect with our Henrik on LinkedIn: https://www.linkedin.com/in/henrikplate/

Check out Endor Labs State of Dependency Management 2025: https://www.endorlabs.com/lp/state-of-dependency-management-2025

Check out our upcoming events: https://www.hackervalley.com/livestreams

Join our creative mastermind and stand out as a cybersecurity professional:
https://www.patreon.com/hackervalleystudio

Love Hacker Valley Studio? Pick up some swag: https://store.hackervalley.com

Continue the conversation by joining our Discord: https://hackervalley.com/discord

Become a sponsor of the show to amplify your brand: https://hackervalley.com/work-with-us/