Security researchers have uncovered more than 30 serious vulnerabilities across a range of AI-powered coding tools and IDE extensions that could be weaponized for data theft, configuration tampering, and remote code execution (RCE).<\/p>\n
The newly identified vulnerability class, dubbed \u201cIDEsaster\u201d by Ari Marzouk (MaccariTA), the researcher behind the discovery, shows how AI agents can be manipulated through prompt injection to misuse legitimate IDE features.<\/p>\n
The vulnerabilities span popular tools such as Cu<\/em>rsor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, Cline, Claude Code, and Gemini CLI. Researchers found that 100% of tested AI IDEs were vulnerable, with 24 CVEs assigned so far.<\/p>\n “I think the fact that multiple universal attack chains affected each and every AI IDE tested is the most surprising finding of this research,” Marzouk told The Hacker News<\/em>.<\/p>\n How IDEsaster Works<\/strong><\/p>\n The IDEsaster chain relies on three components:<\/p>\n Unlike earlier AI-related vulnerabilities that depended on buggy tools, IDEsaster exploits legitimate IDE capabilities \u2014 turning normal development features into pathways for data exfiltration or RCE.<\/p>\n Real-World Exploit Scenarios <\/strong><\/p>\n Researchers demonstrated several high-impact attacks. Some of the most serious flaws include:<\/p>\n In all cases, these attacks require no user interaction once the malicious prompt is processed. The entire process can happen without the user noticing \u2014 and without reopening or refreshing the project.<\/p>\n Why AI Makes IDEs More Vulnerable<\/strong><\/p>\n The core issue is that LLMs cannot reliably distinguish between normal content and embedded malicious instructions. A single poisoned file name, diff output, or pasted URL can manipulate the model.<\/p>\n “Any repository using AI for issue triage, PR labeling, code suggestions, or automated replies is at risk of prompt injection, command injection, secret exfiltration, repository compromise and upstream supply chain compromise,” Aikido researcher Rein Daelman warned.<\/p>\n Marzouk stressed that the industry must adopt a new mindset \u2014 \u201c<\/em>Secure for AI\u201d \u2014 meaning developers must anticipate how AI-driven features could be abused in the future, not just how they function today.<\/p>\n How Developers Can Protect Themselves<\/strong><\/p>\n Researchers suggest several precautions for developers using AI IDEs<\/strong>:<\/p>\n For developers building AI IDEs<\/strong>, experts urge:<\/p>\n With millions of developers now relying on AI-powered IDEs, the push to embed security into their design has never been more urgent.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Security researchers have uncovered more than 30 serious vulnerabilities across a range of AI-powered coding tools and IDE extensions that could be weaponized for data theft, configuration tampering, and remote code execution (RCE). The newly identified vulnerability class, dubbed \u201cIDEsaster\u201d by Ari Marzouk (MaccariTA), the researcher behind the discovery, shows how AI agents can be […]<\/p>\n","protected":false},"author":20,"featured_media":128147,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1989,3141,7],"tags":[4912,64723,64722,64726,62634,9250,64730,64724,64725,64728,61072,915,64729,64727,38328,6781],"class_list":{"0":"post-128140","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-ai","8":"category-news","9":"category-security-news","10":"tag-ai","11":"tag-ai-coding","12":"tag-ai-coding-tools","13":"tag-ai-ides","14":"tag-data-theft","15":"tag-ide","16":"tag-ide-extensions","17":"tag-idesaster","18":"tag-json","19":"tag-prompt-injection","20":"tag-rce","21":"tag-remote-code-execution","22":"tag-remote-json-schema","23":"tag-secure-for-ai","24":"tag-security-flaws","25":"tag-vulnerability"},"yoast_head":"\n\n
\n
\n
\n