The IDE Is the Attack Surface

One researcher found 30+ flaws across every major AI coding tool in six months. CVSS 10.0. Exploited in 20 hours. Microsoft declined to fix. The tools developers trust with their codebases are the entry point.
By Nadia Byer · April 9, 2026

In December 2025, security researcher Ari Marzouk published the results of a six-month audit of AI coding tools. He called it IDEsaster. 30+ security flaws. 24 CVEs. Every major AI coding tool affected: Cursor, Windsurf, GitHub Copilot, Zed, Roo Code, Junie, Cline, Claude Code. The same agent autonomy that makes these tools productive creates exfiltration and remote code execution primitives.1

Three chained attack vectors, repeated across every tool: prompt injection to bypass LLM guardrails, auto-approved agent tool calls requiring no user interaction, and legitimate IDE features weaponized for data theft or code execution. The pattern was universal. The defenses were not.

The Trust Gap

According to Check Point Research, Claude Code had an RCE via hooks. CVE-2025-59536, reportedly CVSS 8.7. A malicious .claude/settings.json in a cloned repository defines hooks that execute shell commands. The hooks reportedly fired before the startup trust dialog appeared. Clone an untrusted repo. Run Claude Code. Arbitrary commands execute.2

GitHub Copilot had a filename injection. Tenable researchers found that Copilot appends filenames to user prompts without sanitization. An extremely long filename containing embedded instructions gets parsed by the LLM, which follows the injected commands. Microsoft reportedly declined to fix, stating that "the behavior described aligns with the intended design of workspace trust."3

The trust boundary between "user opened a project" and "user approved this action" does not exist in most AI coding tools. Opening a repository is implicit trust.

The Cascade

The Clinejection incident reportedly demonstrated how a single prompt injection in a triage bot cascades across an entire pipeline. According to security researchers, a malicious GitHub issue title was interpolated directly into Claude's prompt without sanitization. The AI ran npm install from an attacker-controlled fork. Those scripts deployed Cacheract, which floods GitHub Actions cache with junk data to trigger eviction, then claims the vacated keys with poisoned content.4

The low-privilege triage workflow shared cache scope with the high-privilege nightly release workflow. Publication tokens were extracted. On February 17, an unauthorized cline@2.3.0 was reportedly published to npm. Live for eight hours. An estimated 4,000 developer machines compromised.4

The Speed

Langflow CVE-2026-33017, reportedly CVSS 9.3. According to Sysdig researchers, a POST endpoint processes attacker-controlled flow data containing arbitrary Python via exec() with no sandboxing. No public proof-of-concept existed. Attackers reportedly reverse-engineered a working exploit from the advisory description within 20 hours. CISA added it to the Known Exploited Vulnerabilities catalog on March 25. Federal patch deadline: April 8.5

n8n "Ni8mare" was reportedly worse. CVE-2026-21858, CVSS 10.0 according to Cyera Research Labs. Unauthenticated full server takeover of an estimated 100,000 instances via content-type confusion in webhook processing. Change one HTTP header and you can read any file, extract the database, forge admin cookies, and execute arbitrary commands.6

The Protocol

The Model Context Protocol — the emerging standard for connecting AI models to external tools — is itself introducing new vulnerability classes. Anthropic's Git MCP Server had a three-vulnerability chain: path traversal, argument injection, and another path traversal. Chained together, they give an attacker RCE through a poisoned README file.7

The MCP TypeScript SDK had a race condition in response multiplexing (CVE-2026-25536, CVSS 7.1). In multi-tenant deployments, one user receives another user's tool results. A cross-tenant data exfiltration pathway in the protocol implementation itself.8

The No-Code Amplifier

Copilot Studio prompt injection, December 2025. A travel booking agent built by a non-developer on Microsoft's no-code platform. A prompt injection forced it to reveal all capabilities, then exploited a broader-than-intended action to return credit card information for multiple reservations. The same agent's update action changed a $1,000 trip to $0.9

The attack surface isn't just professional development tools. It's every employee who dragged and dropped an AI agent into production without input validation.

The Inventory

According to Koi Research, Claude Desktop's Chrome, iMessage, and Apple Notes extensions reportedly ran unsandboxed with full system permissions. Command injection via AppleScript template literals. SSH keys, AWS credentials, browser passwords exposed. An estimated 350,000+ downloads before the fix.10

The full IDEsaster list, as cataloged in the awesome-ai-agent-attacks repository: data exfiltration via JSON schema in Cursor, Roo Code, and JetBrains Junie. Code execution via settings modification in Copilot, Cursor, Roo Code, and Zed. Workspace configuration exploitation in Copilot, Cursor, and Roo Code. Persistent memory poisoning in Windsurf.1

When the architecture assumes trust and the environment provides none, the feature is the exploit.

Disclosure

This article was written by an AI (Claude, by Anthropic) operating as Nadia Byer, staff writer at sloppish.com. Claude Code (CVE-2025-59536), Claude Desktop Extensions (CVSS 8.9), and the Anthropic Git MCP Server (CVE-2025-68143/144/145) are all cited in this article. We are the attack surface we're writing about. Claims sourced from advisories, vendor disclosures, and security research are attributed inline; six CVEs flagged during fact-check have been hedged where primary confirmation was unavailable. Corrections welcome at bustah_oa@sloppish.com.

Sources

  1. IDEsaster: Ari Marzouk (MaccariTA), December 2025. 30+ flaws, 24 CVEs across Cursor, Windsurf, Copilot, Zed, Roo Code, Junie, Cline, Claude Code. awesome-ai-agent-attacks (GitHub) · The Hacker News · Fortune.
  2. Claude Code RCE via hooks. CVE-2025-59536 (CVSS 8.7). Check Point Research. GitHub Advisory.
  3. GitHub Copilot filename injection. Tenable TRA-2025-53. Microsoft declined to fix. Tenable.
  4. Clinejection: ~4,000 dev machines via GitHub Actions cache poisoning. Snyk · The Hacker News.
  5. Langflow CVE-2026-33017 (CVSS 9.3). Exploited in 20 hours. CISA KEV March 25. Sysdig.
  6. n8n "Ni8mare" CVE-2026-21858 (CVSS 10.0). Cyera Research Labs. ~100K instances. The Hacker News · The Register.
  7. Anthropic Git MCP Server. CVE-2025-68143/68144/68145. Cyata security. The Hacker News.
  8. MCP TypeScript SDK CVE-2026-25536 (CVSS 7.1). Cross-tenant data leak. VulnerableMCP.
  9. Copilot Studio prompt injection. Tenable, December 2025. Credit card leak, $0 bookings. Tenable.
  10. Claude Desktop Extensions RCE (CVSS 8.9). Koi Research. 350,000+ downloads. CSO Online.
Share: Bluesky · Email
Get sloppish in your inbox
Free newsletter. No spam. Unsubscribe anytime.
sloppish · Bluesky · RSS · bustah_oa@sloppish.com