Several AI coding tools, including GitHub Copilot, Gemini CLI, and Claude, exhibit critical vulnerabilities affecting millions of users.

Millions of software developers are at risk due to a newly discovered class of critical vulnerabilities, dubbed “IDEsaster,” affecting popular AI-powered coding tools like GitHub Copilot, Gemini CLI, and Claude. These vulnerabilities exploit the integration of AI agents directly into legacy Integrated Development Environment (IDE) architectures, extending the attack surface and creating new vectors for malicious activity. The findings, confirmed by security analysts at MaccariTA, revealed that 100% of tested applications were vulnerable, leading to over 30 reported vulnerabilities and 24 assigned CVEs.

The IDEsaster vulnerability class targets the fundamental interaction between AI coding assistants and the underlying features of IDEs such as Visual Studio Code and JetBrains. Unlike traditional security flaws that focus on a single tool, these exploits leverage core IDE functionalities, including configuration files and workspace settings. By manipulating these foundational elements, attackers can bypass standard security protocols, potentially leading to data exfiltration and remote code execution.

Remote Code Execution via IDE Settings Overwrite

The most severe aspect of IDEsaster involves manipulating IDE configuration files to achieve remote code execution (RCE). This attack chain tricks AI agents into modifying critical settings files, such as .vscode/settings.json in Visual Studio Code or .idea/workspace.xml in JetBrains IDEs. This differs from prior exploits by targeting global IDE settings, rather than solely agent-specific configurations.

For example, an attacker can prompt an AI agent to edit a seemingly innocuous file, like a Git hook sample, and embed malicious code within it. Subsequently, the agent can be instructed to modify a setting like the “php.validate.executablePath” to point to this newly created malicious file. Once this configuration is active, the IDE’s validation process can be triggered simply by creating a PHP file within the project, effectively executing the attacker’s code and granting them unauthorized access. This method weaponizes the IDE’s own validation features against the developer.

MaccariTA’s research indicates a pervasive issue, with 100% of examined applications exhibiting vulnerabilities. The broad impact of these findings has prompted immediate security advisories from major technology providers, including AWS, underscoring the widespread threat to developers. The vulnerabilities identified span multiple popular AI coding assistants, signaling a significant concern for the security of millions of users globally who rely on these tools for enhanced productivity.

The implications of IDEsaster are substantial, as these exploits bypass traditional security measures by leveraging the trust developers place in their development environments and AI assistants. Attackers can exploit these weaknesses to gain unauthorized access, steal sensitive code, insert malicious functionalities, or even compromise entire development pipelines. The complexity of these attacks lies in their ability to weaponize features intended to streamline the coding process, turning them into tools for cybercrime.

As vendors continue to address these vulnerabilities, developers are advised to remain vigilant. The rapid evolution of AI in software development presents both significant advantages and new security challenges. Organizations and individual developers should prioritize updating their IDEs and AI coding assistants to the latest versions to mitigate known risks. Ongoing research into the security implications of AI-driven development tools will be crucial in shaping future security best practices and ensuring a more secure software supply chain.