Novel Vulnerabilities and Attack Vectors in AI-Powered IDEs and Coding Assistants
A new class of vulnerabilities, termed "IDEsaster," has been discovered affecting a wide range of AI-powered Integrated Development Environments (IDEs) and coding assistants. Research revealed that over 30 security vulnerabilities, including 24 assigned CVEs, impact more than 10 leading products such as GitHub Copilot, Claude Code, and others, potentially exposing millions of users. The vulnerabilities stem from the integration of AI agents into IDEs, which were not originally designed with such capabilities in mind, leading to attack chains that can result in data exfiltration and remote code execution. Major vendors have issued advisories and updated documentation in response to these findings.
Further research highlights the risks associated with the Model Context Protocol (MCP) sampling feature, commonly used in coding copilot applications. Without adequate safeguards, malicious MCP servers can exploit this feature to perform resource theft, hijack conversations, exfiltrate sensitive data, and covertly invoke tools. Proof-of-concept attacks demonstrate that the implicit trust model and lack of robust security controls in MCP can be leveraged for persistent and covert attacks, underscoring the urgent need for improved security measures in AI-driven development environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Media report says over 30 AI IDE vulnerabilities affect major tools
Tom's Hardware reported that researchers had uncovered more than 30 vulnerabilities affecting popular AI coding tools including GitHub Copilot, Cursor, and Claude Code across major IDE platforms. The report highlighted risks of sensitive data exfiltration and, in some cases, remote code execution, and said current mitigations are insufficient without deeper IDE redesign.
IDEsaster research is published
Research branded as 'IDEsaster' was published describing a novel vulnerability class in AI IDEs. The work centered on data theft and possible remote code execution risks arising from prompt injection, context hijacking, and unsafe interactions with IDE functionality.
Unit 42 discloses MCP sampling prompt-injection attack vectors
Palo Alto Networks Unit 42 published research showing that malicious or compromised MCP servers can abuse the Model Context Protocol sampling feature to carry out prompt-injection attacks against coding copilots. The report demonstrated proof-of-concept attacks including hidden token-burning resource theft, persistent conversation hijacking, and covert tool invocation such as unauthorized file writes.
Researchers investigate AI IDE security flaws over six months
A six-month investigation examined AI-assisted development tools embedded in IDEs such as Visual Studio Code, JetBrains products, and Zed, focusing on how autonomous AI agents interact with legacy IDE features. The research found a broad new vulnerability class affecting all tested AI IDEs and coding assistants.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Critical flaws found in AI development tools dubbed an 'IDEsaster' — data theft and remote code execution possible
tomshardware.com
Open sourceIDEsaster: A Novel Vulnerability Class in AI IDEs
maccarita.com
Open sourceNew Prompt Injection Attack Vectors Through MCP Sampling
unit42.paloaltonetworks.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Vulnerabilities in AI-Powered Coding Tools Enable Data Exfiltration and Remote Code Execution
Security researchers have disclosed over 30 vulnerabilities in a range of AI-powered Integrated Development Environments (IDEs) and coding assistants, collectively named 'IDEsaster.' These flaws, affecting popular tools such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline, allow attackers to chain prompt injection techniques with legitimate IDE features to achieve data exfiltration and remote code execution (RCE). The vulnerabilities exploit the fact that AI agents integrated into these environments can autonomously perform actions, bypassing traditional security boundaries and enabling attackers to hijack context, trigger unauthorized tool calls, and execute arbitrary commands. At least 24 of these vulnerabilities have been assigned CVE identifiers, highlighting the widespread and systemic nature of the risk. The research emphasizes that the integration of AI agents into development workflows introduces new attack surfaces, as these agents often operate with elevated privileges and insufficient threat modeling. Notably, the issues differ from previous prompt injection attacks by leveraging the AI agent's ability to activate legitimate IDE features for malicious purposes. Additional reporting confirms that critical CVEs have been issued for these tools, and broader industry analysis warns that nearly half of all AI-generated code contains exploitable flaws, with a particularly high vulnerability rate in Java. The findings underscore the urgent need for organizations using AI-driven development tools to reassess their security postures and apply available patches to mitigate the risk of data theft and RCE attacks.
Mar 21, 2026
Security Risks in AI Coding Assistants: Prompt Injection and Dependency Hijacking
Security researchers have identified significant risks in AI-powered coding assistants, including Microsoft's Copilot and Claude Code, stemming from both prompt injection vulnerabilities and the potential for dependency hijacking via third-party plugins. In the case of Copilot, a security engineer disclosed several issues such as prompt injection leading to system prompt leaks, file upload policy bypasses using base64 encoding, and command execution within Copilot's isolated environment. Microsoft, however, has dismissed these findings as limitations of AI rather than true security vulnerabilities, sparking debate within the security community about the definition and handling of such risks. Separately, analysis of Claude Code highlights the dangers of plugin marketplaces, where third-party 'skills' can be enabled to automate tasks like dependency management. A technical review demonstrated how a seemingly benign plugin could redirect dependency installations to attacker-controlled sources, resulting in the silent introduction of trojanized libraries into development environments. These risks are compounded by the persistent nature of enabled plugins, which can continue to influence agent behavior and potentially compromise projects over time, underscoring the need for greater scrutiny and security controls in AI development tools.
Mar 21, 2026
Critical Vulnerabilities in Cline Bot AI Coding Assistant Enable Data Theft and Code Execution
A security audit conducted by Mindgard uncovered four major vulnerabilities in the popular Cline Bot AI coding assistant, which has over 3.8 million installs and more than 1.1 million daily active users. The flaws include the potential for attackers to steal sensitive information such as API keys, execute unauthorized code on a developer's machine, bypass internal safety checks, and leak confidential details about the AI model itself. The attack vector involves prompt injection, where malicious instructions are hidden in source code files; when Cline Bot analyzes such files, it can be manipulated into performing dangerous actions without the user's knowledge or consent. These findings highlight significant risks associated with the widespread adoption of AI coding assistants, as even trusted tools can be exploited to compromise developer environments. The vulnerabilities were identified rapidly—within two days of the audit's start—demonstrating both the urgency and the ease with which such flaws can be discovered and potentially abused. The research underscores the need for rigorous security assessments of AI-powered development tools and increased awareness of the risks posed by prompt injection and insufficient safety controls in these systems.
Mar 21, 2026