AI-RULES-FILE-BACKDOOR-2025
Cursor · GitHub Copilot / Cursor rules files
Summary
Pillar Security disclosed a supply-chain attack technique called 'Rules File Backdoor' that weaponizes the configuration/rules files used to steer AI coding agents in Cursor and GitHub Copilot. Attackers embed instructions using invisible Unicode characters (zero-width joiners, bidirectional markers), contextual manipulation, and log-suppression directives that are readable by the AI but invisible to human reviewers, causing the agent to silently generate backdoored or vulnerable code and leak secrets. Because rules files are shared and reused across projects and survive forking, one poisoned file persistently compromises all future code-generation sessions for downstream users.
How to avoid it in your code
- Vet and pin rules/config files; review them as security-sensitive code, not trusted config.
- Scan rules files for invisible Unicode (zero-width, bidi markers) before adoption.
- Never import rules files from untrusted forks or third-party repos without inspection.
- Require mandatory human review plus security scanning of all AI-generated code.
- Treat rules-file changes in PRs as privileged and require explicit approval.
References
- https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents
- https://securityaffairs.com/175593/hacking/rules-file-backdoor-ai-code-editors-silent-supply-chain-attacks.html
- https://www.scworld.com/news/how-ai-coding-assistants-could-be-compromised-via-rules-file
Related vulnerabilities
All AI/LLM →- CRITICALAI-COPILOT-CAMOLEAK-2025
Legit Security disclosed CamoLeak (CVSS 9.6), a critical vulnerability in GitHub Copilot Chat enabling silent exfiltration of private source code and secrets. The attack combined remote prompt injection via hidden pull-request comments with a CSP bypass that abused GitHub's own Camo image proxy: injected instructions made Copilot extract sensitive repo context, encode it character-by-character into a pre-generated dictionary of Camo image URLs, and leak it through image requests to an attacker server. GitHub mitigated it by disabling image rendering in Copilot Chat in August 2025.
- HIGHAI-VIBE-CODED-INSECURE-2025
Large-scale 2025 studies confirm that AI coding assistants emit insecure code at a high baseline rate, and that unreviewed 'vibe-coded' output ships those flaws to production. Veracode's 2025 GenAI Code Security Report (July 30, 2025), which evaluated over 100 LLMs across 80+ coding tasks in Java, Python, C# and JavaScript, found 45% of AI-generated samples introduced an OWASP Top 10 vulnerability, with an 86% failure rate on cross-site scripting and 88% on log injection, and security performance stayed flat regardless of model size or release date. The mechanism is that LLMs predict statistically likely code from training data rather than reasoning about security invariants, so they default to unparameterized SQL queries, unencoded output, hardcoded secrets and weak cryptography unless explicitly constrained. Stanford's user study 'Do Users Write More Insecure Code with AI Assistants?' (Perry, Srivastava, Kumar, Boneh; ACM CCS 2023) found that developers given an AI assistant wrote significantly less secure code, especially for encryption and SQL injection, yet were more confident their code was secure, removing the human skepticism that would otherwise catch the flaw. When this output is accepted and merged without review, SQLi, XSS, secret exposure and weak-crypto defects propagate into shipped software at scale.
- HIGHCVE-2025-54135
Aim Labs disclosed CurXecute (CVE-2025-54135, CVSS 8.6), a remote-code-execution flaw in the Cursor AI code editor reachable through prompt injection. Because Cursor runs with developer-level privileges and supports the Model Context Protocol, untrusted external data pulled in by an MCP server (for example a crafted Slack message) can redirect the agent's control flow and rewrite the global mcp.json configuration to execute arbitrary commands. Potential consequences include data exfiltration, ransomware deployment, and dependency-poisoning; it was patched in Cursor 1.3 on July 29, 2025.
- HIGHAI-AMAZON-Q-WIPER-2025
An attacker using the alias 'lkmanka58' submitted a pull request to Amazon's open-source Amazon Q Developer Extension GitHub repository on July 13, 2025; due to inadequate access controls it was merged, and the compromised version 1.84.0 shipped to the VS Code Marketplace on July 17, 2025. The injected payload was a prompt instructing the AI agent to act as a system cleaner and delete local file-system data and wipe AWS cloud resources via the CLI. Amazon stated the malicious code was incorrectly formatted and non-functional, revoked credentials, and released the fixed version 1.85.0 on July 24, 2025.
- HIGHAI-AGENT-INDIRECT-PROMPT-INJECTION-2025
Coding agents that autonomously read project and external content are vulnerable to indirect prompt injection, where hidden instructions placed in untrusted material the agent ingests hijack its behavior. The injection surface is broad: a poisoned README, source-code comment, GitHub issue or PR comment, a dependency's files, a fetched web page, or an MCP tool description, with instructions often concealed using invisible Unicode characters so a human reviewer never sees them, as Pillar Security demonstrated with the 'Rules File Backdoor' technique. Because the agent cannot distinguish trusted developer instructions from attacker text in the data it processes, the injected commands can direct it to insert a backdoor, weaken security controls, exfiltrate secrets, or run shell/MCP commands. Johann Rehberger (Embrace The Red) proved the data-exfiltration variant in Cursor with CVE-2025-54132 (disclosed June 30, 2025, fixed in v1.3): a comment-embedded payload made Cursor render a Mermaid diagram containing an attacker image URL, auto-firing an outbound request that leaked API keys and agent memory without confirmation. When the developer merges or runs the agent's resulting output unmonitored, the attacker-controlled changes land directly in the codebase or on the developer's machine.
- HIGHAI-HUGGINGFACE-NULLIFAI-2025
ReversingLabs discovered two malicious machine-learning models on Hugging Face using a technique dubbed 'nullifAI' that evades the platform's PickleScan scanner. The models were compressed with 7z instead of the default ZIP and used deliberately broken Pickle files so that a reverse-shell payload placed at the start of the byte stream executes during deserialization before the scanner reaches the corrupted portion. Each model contained a platform-aware reverse shell connecting to a hardcoded IP; Hugging Face removed them within 24 hours of notification, illustrating the RCE risk of loading untrusted serialized AI models.