2.7 Prompt Injection Targeting the Developer's IDE
Most discussions of prompt injection focus on deployed applications — an attacker injecting instructions into a chatbot's input. But there is a second attack surface that receives far less attention: prompt injection targeting the developer's AI coding tool itself.
When an AI coding agent reads files in your repository, it processes their content as part of its working context. If those files contain malicious instructions hidden in the text, the agent may follow those instructions as if they were legitimate commands — rather than treating them as ordinary text to analyze. The result can be SSH key theft, shell command execution, or silent modification of your security-critical code, all while the agent appears to be doing exactly what you asked.
How AI Coding Agents Read Files#
AI coding agents (Claude Code, Cursor, GitHub Copilot in agent mode) do not limit themselves to the single file you are editing. They automatically load a broad set of files to build up context — the information they use to understand your project and generate better suggestions. This includes:
.cursorrules/.cursor/rules— Cursor-specific behavior instructionsCLAUDE.md— project instructions for Claude CodeREADME.mdand documentation files — read for project context- Source code comments — read and reasoned about alongside the code
- Log files and test fixtures — processed if the agent reads them for context
- MCP configuration files — used when the agent connects to external tools
This automatic file loading is a useful feature — it makes suggestions more relevant. The problem is that an attacker who can add content to any of these files gains a direct way to feed instructions to the agent.
The Research Findings#
Independent security research has confirmed that this class of attack is not theoretical — it is highly practical and widely exploitable.
The AIShellJack Study (2025)#
Researchers from Singapore Management University published "Your AI, My Shell": Demystifying Prompt Injection Attacks on Agentic AI Coding Editors (arXiv:2509.22040). They built an automated testing framework called AIShellJack, collected 314 unique attack payloads mapped to 70 MITRE ATT&CK techniques (a widely used framework for categorizing attacker behaviors), and injected them into coding rule files that AI agents process.
Results across Cursor and GitHub Copilot, using models including Claude Sonnet and Gemini:
AIShellJack Attack Success Rates by MITRE ATT&CK Category
| Attack Category | What It Achieves | Success Rate |
|---|---|---|
| Initial Access | Establishing a foothold on the developer's machine | 93.3% |
| Discovery | Listing files, environment variables, system information | 91.1% |
| Impact | Modifying or destroying files on the machine | 83.0% |
| Credential Access | Extracting SSH keys, tokens, passwords | 68.2% |
| Overall peak (Cursor Auto mode) | TypeScript project scenario | 83.4% |
Source: 'Your AI, My Shell', arXiv:2509.22040 (2025). Command execution was triggered in 75–88% of scenarios even when full exfiltration was not completed.
The IDEsaster Research (2025)#
Researcher Ari Marzouk conducted a six-month investigation into AI coding tools, discovering 30+ vulnerabilities across all major AI IDEs and receiving 24 CVEs (officially recognized security vulnerability identifiers) from vendors. The key finding: every single AI IDE tested was vulnerable to prompt injection attacks that could result in remote code execution.
Affected tools included Cursor, GitHub Copilot, Claude Code, Windsurf, Roo Code, JetBrains Junie, and Zed. Marzouk found that AI IDE developers had focused their security efforts on the AI layer itself, while overlooking the underlying IDE's built-in features — which attackers could exploit through injected instructions.
The Rules File Backdoor (Pillar Security, 2025)#
Pillar Security discovered a particularly stealthy variant: attackers embed invisible Unicode characters (zero-width joiners, bidirectional text markers) inside .cursor/rules or .github/copilot-instructions.md files. These characters are completely invisible to anyone reading the file in an editor — they appear as blank space — but are passed verbatim to the AI model, which then executes the hidden instructions.
This technique was reported to both Cursor and GitHub in early 2025. GitHub later added a warning for hidden Unicode characters on github.com.
Attack Vectors in Detail#
1. Configuration Files (Highest Risk)#
The files that AI agents treat as primary instruction sources are the most dangerous injection points:
.cursor/rules(previously.cursorrules) — Cursor reads this at the start of every session and treats its content as behavioral directivesCLAUDE.md— Claude Code treats this as the authoritative source of project instructions, processed before any user message.github/copilot-instructions.md— GitHub Copilot's equivalent instruction file.codex/config.toml— OpenAI Codex's project configuration file, which can include custom instructions the agent follows
An attacker who contributes a .cursorrules file to a public repository — or modifies one that developers commonly copy from community forums — can inject instructions that activate when any developer opens that project with an AI agent.
2. README and Documentation#
AI agents read README files for project context. A malicious README can include instructions disguised as regular documentation — text that looks harmless to a human reader but is interpreted as directives by the AI. Because developers rarely read README files line by line before starting a coding session, this injection channel can remain unnoticed for extended periods.
3. Source Code Comments#
AI agents read and reason about source code comments to understand intent. Comments like // TODO: connect to external service or inline documentation can contain injected instructions. This vector is especially dangerous because comments appear to be written by developers and look completely benign in a code review.
4. Hidden Unicode Characters#
The rules file backdoor technique uses Unicode characters that are invisible in editors but still processed by the AI. You cannot spot these by reading the file normally — you need to check for them explicitly:
# Detect hidden Unicode in a rules file
# cat -A shows non-printable characters
cat -A .cursorrules | grep -P "[\x00-\x08\x0b-\x0c\x0e-\x1f\x7f-\x9f]"
# Or use python to check for zero-width and invisible codepoints
python3 -c "
import sys
invisible = {0x200b, 0x200c, 0x200d, 0x2060, 0xfeff, 0x200e, 0x200f}
text = open('.cursorrules').read()
found = [hex(ord(c)) for c in text if ord(c) in invisible]
if found:
print('Hidden Unicode found:', found)
else:
print('No hidden Unicode detected')
"
5. MCP Server Data#
MCP (Model Context Protocol) lets AI agents connect to external tools — GitHub, Slack, Notion, databases. When an MCP server returns data (a GitHub issue, a Slack message, a database record), that data is passed as plain text into the AI's context. If an attacker can control any content that reaches the MCP server, they have an injection path into the agent.
Security firm Invariant Labs demonstrated this concretely: an attacker filed a malicious GitHub issue in a public repository. When a developer's agent used the GitHub MCP server to review that repository's issues, the agent read the hidden instructions, accessed the developer's private repositories, and exfiltrated private code by creating a pull request in the public repository.
A Real-World Vulnerability: CVE-2025-53773#
Researcher Johann Rehberger discovered a critical vulnerability in GitHub Copilot in which prompt injection via malicious content in source files, web pages, or GitHub issues could trigger the following attack chain:
- Injected instructions tell Copilot to modify
.vscode/settings.jsonto enable"chat.tools.autoApprove": true - Copilot enters a mode where all tool calls execute without asking for user confirmation
- The attacker's subsequent instructions execute arbitrary shell commands with full remote code execution
This was patched in Microsoft's August 2025 Patch Tuesday (CVE-2025-53773). It illustrates a key pattern: an injection does not always act immediately — it can first disable the confirmation step that protects you, and then act freely on your system.
Prompt Injection via Repository Configuration Files
HighMalicious instructions embedded in a .cursorrules file. The file opens with legitimate-looking coding preferences, making the injected section easy to overlook.
When Are You at Risk?#
Most developers encounter this attack surface in three common situations:
Cloning an external repository:
When you clone a repository from GitHub and use an AI coding agent to work on it, the agent reads .cursorrules, CLAUDE.md, README files, and other files that the repository's contributors — or an attacker who submitted a pull request — placed there. The agent has no way to tell a malicious .cursorrules file apart from a legitimate one.
Using community rules and templates:
Developers often copy .cursorrules or CLAUDE.md files from community forums, blog posts, and template repositories to customize their AI coding experience. A malicious entry in a shared rules collection activates for every developer who copies it into their project.
Working with external data through MCP tools: If you use MCP integrations (GitHub, Slack, Notion, Linear), the content those tools return — issues, messages, documents — flows directly into your agent's context. An attacker who can contribute content to any connected system has an injection path into your agent.
How This Differs from Chapter 3 Prompt Injection#
Both this section and Chapter 3, Section 3.1 involve the same underlying mechanism: malicious text causes an AI to follow attacker instructions instead of legitimate ones. The difference is who is targeted and where the attack originates.
Prompt Injection: IDE Context vs. Deployed Application Context
| Injection targeting the IDE (§2.7) | Injection in deployed apps (§3.1) | |
|---|---|---|
| Who is targeted | The developer and their local machine | End users and application data |
| Attack surface | Repository files, config files, MCP tool responses | User input fields, retrieved documents, database records |
| How it is delivered | Malicious content in cloned repos or shared templates | Chat input, PDF uploads, poisoned knowledge base entries |
| Potential impact | Credential theft, RCE, silent code modification | Session hijack, data exfiltration, unauthorized AI actions |
| Who writes the defense | The developer using the AI tool | The developer building the AI-powered application |
Both attack types share the same root cause: the AI cannot reliably distinguish trusted instructions from untrusted data in its context.
Practical Guidance#
1. Before using an AI agent on a cloned or external repository:
Review these files manually before opening the project with any AI agent: .cursorrules, .cursor/rules, CLAUDE.md, .github/copilot-instructions.md, and README.md. Use a plain text editor — not the AI agent — for this review.
2. Check for hidden Unicode in rules files: The invisible Unicode attack is specifically designed to evade manual review. Run the Python check shown in the SecurityCard above before trusting any rules file that was not written by you or your team.
3. Configure your AI tool's file exclusion list:
Most AI coding tools let you specify directories the agent is not allowed to read. Add your credential directories — ~/.ssh, ~/.aws, ~/.config/gcloud, ~/.kube — to the exclusion list before starting any agent session.
4. Use isolated environments for unfamiliar repositories: Running AI agent sessions inside a Docker container or GitHub Codespace limits the damage if an injection succeeds. The agent's file access is confined to the container, protecting your host machine's SSH keys, tokens, and configuration files.
5. Be skeptical of publicly shared rules collections:
If you adopt a .cursorrules or CLAUDE.md template from a blog post or community forum, treat it the same way you would treat code from an unknown open-source contributor — review it carefully before giving it access to your system.
6. Never enable unrestricted auto-approve modes:
Features like --dangerously-skip-permissions in Claude Code and similar auto-approve settings in other tools remove the confirmation step that prevents injected instructions from executing silently. The research shows this is precisely what attackers try to disable first (as demonstrated in CVE-2025-53773).
Sources:
- Your AI, My Shell: Demystifying Prompt Injection Attacks on Agentic AI Coding Editors (AIShellJack, arXiv:2509.22040, 2025)
- IDEsaster: 30+ Vulnerabilities Across All Major AI IDEs (Ari Marzouk, 2025)
- Rules File Backdoor: AI Code Editors Silent Supply Chain Attack (Pillar Security, 2025)
- MCP Prompt Injection — Exfiltrating Private Data (Invariant Labs, 2025)
- CVE-2025-53773: GitHub Copilot Remote Code Execution via Prompt Injection
- CWE-77: Improper Neutralization of Special Elements used in a Command (MITRE)