CVE-2025-54135

An attacker using the alias 'lkmanka58' submitted a pull request to Amazon's open-source Amazon Q Developer Extension GitHub repository on July 13, 2025; due to inadequate access controls it was merged, and the compromised version 1.84.0 shipped to the VS Code Marketplace on July 17, 2025. The injected payload was a prompt instructing the AI agent to act as a system cleaner and delete local file-system data and wipe AWS cloud resources via the CLI. Amazon stated the malicious code was incorrectly formatted and non-functional, revoked credentials, and released the fixed version 1.85.0 on July 24, 2025.

Legit Security disclosed CamoLeak (CVSS 9.6), a critical vulnerability in GitHub Copilot Chat enabling silent exfiltration of private source code and secrets. The attack combined remote prompt injection via hidden pull-request comments with a CSP bypass that abused GitHub's own Camo image proxy: injected instructions made Copilot extract sensitive repo context, encode it character-by-character into a pre-generated dictionary of Camo image URLs, and leak it through image requests to an attacker server. GitHub mitigated it by disabling image rendering in Copilot Chat in August 2025.

MCPoison (CVE-2025-54136), disclosed by Check Point Research and published August 1, 2025, is a persistent remote-code-execution flaw in the Cursor AI code editor affecting versions 1.2.4 and below, rated CVSS 8.8 by NIST. The root cause is that Cursor binds trust for a Model Context Protocol server to its configuration entry's name rather than to the content of its command, so once a collaborator approves an MCP entry, later edits to that entry's underlying command are treated as already trusted and run without any re-prompt. An attacker who can edit a shared .cursor/mcp.json in a repository, or the file locally, first commits a benign MCP entry to obtain approval, then silently swaps its command for a malicious one; the payload then executes automatically every time the victim opens the project, giving durable code execution on the developer's machine. This makes shared repositories a software-supply-chain vector for IP theft and host compromise. It is distinct from CurXecute (CVE-2025-54135), which uses live prompt injection to rewrite mcp.json; MCPoison abuses trust-by-name persistence after legitimate approval. Cursor fixed it in version 1.3 by re-validating modified MCP configurations.

Coding agents that autonomously read project and external content are vulnerable to indirect prompt injection, where hidden instructions placed in untrusted material the agent ingests hijack its behavior. The injection surface is broad: a poisoned README, source-code comment, GitHub issue or PR comment, a dependency's files, a fetched web page, or an MCP tool description, with instructions often concealed using invisible Unicode characters so a human reviewer never sees them, as Pillar Security demonstrated with the 'Rules File Backdoor' technique. Because the agent cannot distinguish trusted developer instructions from attacker text in the data it processes, the injected commands can direct it to insert a backdoor, weaken security controls, exfiltrate secrets, or run shell/MCP commands. Johann Rehberger (Embrace The Red) proved the data-exfiltration variant in Cursor with CVE-2025-54132 (disclosed June 30, 2025, fixed in v1.3): a comment-embedded payload made Cursor render a Mermaid diagram containing an attacker image URL, auto-firing an outbound request that leaked API keys and agent memory without confirmation. When the developer merges or runs the agent's resulting output unmonitored, the attacker-controlled changes land directly in the codebase or on the developer's machine.

Slopsquatting is a supply-chain attack class where LLM code assistants recommend dependency names that do not exist, and attackers pre-register those hallucinated names on public registries to ship malware. A USENIX Security 2025 study analyzed 576,000 code samples across 16 LLMs and found 19.7% of recommended packages were hallucinated (21.7% for open-source models, 5.2% for commercial), yielding over 205,000 unique fake package names. Hallucinations repeat across sessions, so a single registered malicious package can be installed by many developers; researcher Bar Lanyado previously demonstrated the risk by registering a frequently hallucinated 'huggingface-cli' package that received tens of thousands of downloads.

MCP tool poisoning is a supply-chain prompt-injection class in which a malicious Model Context Protocol server embeds hidden directives inside a tool's description metadata. Because MCP clients feed the full tool description into the model's context but typically render only a simplified tool name to the user, the model reads attacker instructions (often wrapped in tags like IMPORTANT) that the human never sees. Invariant Labs disclosed this on April 1, 2025, demonstrating that merely connecting a server lets a benign-looking add() tool silently instruct the agent to read files such as ~/.cursor/mcp.json and ~/.ssh/id_rsa and exfiltrate them through innocuous-seeming parameters; this also enables 'line jumping' (Trail of Bits), where the description influences the model before any tool is invoked, and 'rug pull' variants that mutate a tool's description after the user has already approved it. The class maps to OWASP LLM01:2025 Prompt Injection and the LLM03 supply-chain risk.