Back

Emerging Threats from AI Coding Assistants Exploited by Malicious Artifacts

Severity: High (Score: 67.5)

Sources: Arxiv, Tipranks

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: coding, assistants, semgrep, rules, agentic, agent, files

Summary

AI coding assistants like Claude Code and GitHub Copilot are vulnerable to prompt injection attacks that exploit unvetted external artifacts. These attacks can turn coding assistants into attackers' shells, executing unauthorized commands with developer privileges. Recent vulnerabilities, including CVE-2025-65099 and CVE-2025-61591, illustrate how hidden instructions in imported files can lead to credential theft and unauthorized code execution. Semgrep has responded by expanding its security rules to detect malicious patterns in AI agent skill files, now offering 122 Pro rules aimed at enhancing security in AI-driven development workflows. The rise of threats like ClawHavoc highlights the urgency for improved defenses against these emerging risks. As enterprises increasingly adopt AI coding tools, the need for robust security measures becomes critical. Key Points: • AI coding assistants are vulnerable to prompt injection attacks via external artifacts. • Recent CVEs demonstrate real-world exploitation of these vulnerabilities in tools like Claude Code. • Semgrep has launched new security rules to detect malicious patterns in AI coding environments.

Detailed Analysis

**Impact** Developers using AI coding assistants such as Claude Code, Cursor, and GitHub Copilot are affected globally, with risks extending to any organization relying on these tools for software development. Unauthorized command execution can lead to credential theft, codebase manipulation, and unauthorized access to developer machines, potentially compromising intellectual property and sensitive data like SSH keys. The operational impact includes disrupted development workflows and increased risk of persistent backdoors in software projects. **Technical Details** Attackers exploit prompt injection vulnerabilities by embedding hidden instructions in external artifacts such as coding rule files, skill files, and repository content. Exploited CVEs include CVE-2025-65099 (Claude Code), CVE-2025-61591 (Cursor MCP servers), CVE-2025-54130 (Cursor IDE settings), and CVE-2025-62222 (GitHub Copilot). Techniques involve manipulating the AI assistant’s token stream to execute unauthorized OS commands, exfiltrate credentials, and establish persistence. The ClawHavoc campaign is associated with these threats, targeting AI agent skill files to gain command execution and data exfiltration capabilities. **Recommended Response** Apply patches addressing CVE-2025-65099, CVE-2025-61591, CVE-2025-54130, and CVE-2025-62222 immediately. Deploy detection rules such as Semgrep’s “skill-go-exec-bash-pipe” to identify suspicious command execution patterns in AI agent skill files. Harden configurations by restricting automatic execution permissions in AI coding assistants and vetting all imported external artifacts before use. Monitor for unusual terminal commands and network activity originating from development environments using AI assistants.

Source articles (2)

  • How Agentic AI Coding Assistants Become the Attacker's Shell — Arxiv · 2026-05-26
    Agentic AI coding assistants can edit files, run commands, and access the internet on behalf of developers. However, their reliance on unvetted external artifacts introduces a new attack vector. Hidde…
  • Semgrep Expands Pro Security Rules Targeting AI Coding Assistant Threats — Tipranks · 2026-05-28
    According to a recent post from Semgrep , the company is highlighting new AI Agent rules designed to detect malicious patterns in AI agent skill files across multiple popular coding assistants, includ…

Timeline

  • 2025-08-05 — CVE-2025-54135 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-08-05 — CVE-2025-54130 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-08-11 — CVE-2025-55012 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-10-03 — CVE-2025-61591 published: Malicious Model Context Protocol servers exploited vulnerabilities in AI coding assistants.
  • 2025-10-03 — CVE-2025-59536 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-10-03 — CVE-2025-59944 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-10-03 — CVE-2025-61592 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-10-14 — CVE-2025-36730 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-11-11 — CVE-2025-62222 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-11-19 — CVE-2025-65099 published: A poisoned project configuration file led to unauthorized code execution in AI coding assistants.

CVEs

  • CVE-2025-36730
  • CVE-2025-54130
  • CVE-2025-54135
  • CVE-2025-55012
  • CVE-2025-59536
  • CVE-2025-59944
  • CVE-2025-61260
  • CVE-2025-61591
  • CVE-2025-61592
  • CVE-2025-62222
  • CVE-2025-65099
  • CVE-2026-21852
  • CVE-2026-22708
  • CVE-2026-31854

Related entities

  • Data Breach (Attack Type)
  • ClawHavoc (Malware)
  • zed.dev (Domain)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1059.004 - Unix Shell (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • AIShellJack (Tool)
  • Mitre Att&ck (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed