TL;DR AI editors surface MD5 hashing from training data dominated by 2008-2014 tutorials MD5 hashes crack in milliseconds on modern GPUs -- any breach becomes full password exposure Fix: one import swap to bcrypt (Python) or argon2id (Node) -- no architecture changes needed I was reviewing a side project a friend built with Cursor. Flask backend, JWT auth, clean structure. It looked solid. Then I got to the password module. hashlib.md5(password.encode()).hexdigest() MD5. In 2026. About to go live. He hadn't written it -- Cursor had. He'd accepted it because it ran, the tests passed, and the login flow worked. Nothing flagged a problem. Why would it? The code is syntactically correct. It's just cryptographically broken. The Vulnerable Pattern (CWE-328) Here's the exact output from Cursor on a basic auth route: import hashlib def hash_password ( password : str ) -> str : return hashlib . md5 ( password . encode ()).…