Security Risks in AI Coding Assistants: Prompt Injection and Dependency Hijacking
Security researchers have identified significant risks in AI-powered coding assistants, including Microsoft's Copilot and Claude Code, stemming from both prompt injection vulnerabilities and the potential for dependency hijacking via third-party plugins. In the case of Copilot, a security engineer disclosed several issues such as prompt injection leading to system prompt leaks, file upload policy bypasses using base64 encoding, and command execution within Copilot's isolated environment. Microsoft, however, has dismissed these findings as limitations of AI rather than true security vulnerabilities, sparking debate within the security community about the definition and handling of such risks.
Separately, analysis of Claude Code highlights the dangers of plugin marketplaces, where third-party 'skills' can be enabled to automate tasks like dependency management. A technical review demonstrated how a seemingly benign plugin could redirect dependency installations to attacker-controlled sources, resulting in the silent introduction of trojanized libraries into development environments. These risks are compounded by the persistent nature of enabled plugins, which can continue to influence agent behavior and potentially compromise projects over time, underscoring the need for greater scrutiny and security controls in AI development tools.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Public debate emerges over whether Copilot prompt injection issues are vulnerabilities
Reporting on Russell's Copilot findings sparked broader debate in the security community over whether prompt injection and similar AI assistant weaknesses should be treated as true vulnerabilities or as inherent limitations of large language models. Microsoft maintained that without a crossed security boundary such as unauthorized access or data exfiltration, the issues do not meet its vulnerability threshold.
John Russell reports four Microsoft Copilot issues to Microsoft
Cybersecurity engineer John Russell reported four issues in Microsoft Copilot, including prompt injection behavior and a file upload policy bypass that used base64-encoded files to evade intended restrictions. Microsoft reviewed the reports but determined they did not qualify as serviceable security vulnerabilities under its criteria.
SentinelOne demonstrates dependency hijack via Claude Code marketplace skill
SentinelOne's Prompt Security team showed that a seemingly benign third-party skill from an unofficial Claude Code marketplace could redirect dependency installations to attacker-controlled sources, leading to trojanized libraries being introduced into development environments. The researchers said the enabled plugin could persist across sessions, creating a software supply chain risk through the assistant's automation and privileges.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Are Copilot prompt injection flaws vulnerabilities or AI limits?
bleepingcomputer.com
Open sourceWhen Your AI Coding Plugin Starts Picking Your Dependencies: Marketplace Skills and Dependency Hijack in Claude Code
sentinelone.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Prompt Injection Vulnerabilities in Microsoft Copilot Studio AI Agents
Security researchers demonstrated that Microsoft Copilot Studio's no-code AI agent platform is susceptible to prompt injection attacks, allowing unauthorized access to sensitive business data. By leveraging the platform's ease of use, even non-technical employees can create AI agents that integrate with critical business systems such as SharePoint, Outlook, and Teams. In controlled tests, researchers were able to extract customer credit card information and manipulate booking systems to create fraudulent transactions, such as booking a $0 vacation, by issuing carefully crafted prompts to the AI agents. The core risk arises from the democratization of AI agent creation, which, while boosting productivity, also increases the attack surface for organizations. The lack of technical safeguards and the inherent vulnerabilities of large language models (LLMs) make it easy for attackers or even well-meaning users to bypass intended security controls. Experts warn that these agentic tools, if not properly secured, can lead to significant data exposure and workflow hijacking, underscoring the urgent need for robust security practices and oversight when deploying AI-powered automation in business environments.
Mar 21, 2026
Novel Vulnerabilities and Attack Vectors in AI-Powered IDEs and Coding Assistants
A new class of vulnerabilities, termed "IDEsaster," has been discovered affecting a wide range of AI-powered Integrated Development Environments (IDEs) and coding assistants. Research revealed that over 30 security vulnerabilities, including 24 assigned CVEs, impact more than 10 leading products such as GitHub Copilot, Claude Code, and others, potentially exposing millions of users. The vulnerabilities stem from the integration of AI agents into IDEs, which were not originally designed with such capabilities in mind, leading to attack chains that can result in data exfiltration and remote code execution. Major vendors have issued advisories and updated documentation in response to these findings. Further research highlights the risks associated with the Model Context Protocol (MCP) sampling feature, commonly used in coding copilot applications. Without adequate safeguards, malicious MCP servers can exploit this feature to perform resource theft, hijack conversations, exfiltrate sensitive data, and covertly invoke tools. Proof-of-concept attacks demonstrate that the implicit trust model and lack of robust security controls in MCP can be leveraged for persistent and covert attacks, underscoring the urgent need for improved security measures in AI-driven development environments.
Mar 21, 2026
Security Risks and Controls for AI-Powered Coding Assistants and Agents
The rapid adoption of AI-powered agents and coding assistants has introduced new security challenges, particularly as these systems gain deeper access to sensitive enterprise environments and proprietary codebases. Recent research and technical reviews highlight the need for robust information flow control mechanisms to prevent unauthorized data exposure and ensure that AI agents act within defined security boundaries. As AI agents evolve from passive tools to autonomous actors capable of executing workflows, approving access, and interacting with APIs, understanding and modeling their execution and decision-making processes becomes critical for effective risk management. A focused security assessment of the Cursor AI coding assistant revealed three key vulnerabilities related to its deep integration with development workflows and privileged access to code repositories. The review emphasized the importance of ethical hacking and red teaming to uncover risks in third-party AI tools, especially those embedded in widely used platforms like Visual Studio Code. Security practitioners are encouraged to adopt formal models and reusable frameworks for auditing AI agents, ensuring that both the underlying technology and its operational context are thoroughly evaluated for potential threats.
Mar 21, 2026