FRESH

Hacker News

Home

New Vulnerability in GitHub Copilot, Cursor: Hackers Can Weaponize Code Agents

231 points by pseudolus

by DougBTX

8 subcomments

From the article:
> A 2024 GitHub survey found that nearly all enterprise developers (97%) are using Generative AI coding tools. These tools have rapidly evolved from experimental novelties to mission-critical development infrastructure, with teams across the globe relying on them daily to accelerate coding tasks.
That seemed high, what the actual report says:
> More than 97% of respondents reported having used AI coding tools at work at some point, a finding consistent across all four countries. However, a smaller percentage said their companies actively encourage AI tool adoption or allow the use of AI tools, varying by region. The U.S. leads with 88% of respondents indicating at least some company support for AI use, while Germany is lowest at 59%. This highlights an opportunity for organizations to better support their developers’ interest in AI tools, considering local regulations.
Fun that the survey uses the stats to say that companies should support increasing usage, while the article uses it to try and show near-total usage already.

by mrmattyboy

5 subcomments

> effectively turning the developer's most trusted assistant into an unwitting accomplice
"Most trusted assistant" - that made me chuckle. The assistant that hallucinates packages, avoides null-pointer checks and forgets details that I've asked it.. yes, my most trusted assistant :D :D

by tsimionescu

3 subcomments

The most concerning part of the attack here seems to be the ability to hide arbitrary text in a simple text file using Unicode tricks such that GitHub doesn't actually show this text at all, per the authors. Couple this with the ability of LLMs to "execute" any instruction in the input set, regardless of such a weird encoding, and you've got a recipe for attacks.
However, I wouldn't put any fault here on the AIs themselves. It's the fact that you can hide data in a plain text file that is the root of the issue - the whole attack goes away once you fix that part.

by tobyhinloopen

3 subcomments

Stop hijacking scrolling. Why would you do that? What developer thought this was a good idea?

by markussss

1 subcomments

This page has horrible scrolling. I really don't understand why anybody creates this kind of scroll. Are they not using what they create?

by MadsRC

2 subcomments

When this was released I thought that perhaps we could mitigate it by having the tooling only load “rules” if they were signed.
But thinking on it a bit more, from the LLMs perspective there’s no difference between the rule files and the source files. The hidden instructions might as well be in the source files… Using code signing on the rule files would be security theater.
As mentioned by another comms ter, the solution could be to find a way to separate the command and data channels. The LLM only operates on a single channel, that being input of tokens.

by DrNosferatu

4 subcomments

For some piece of mind, we can perform the search:

  OUTPUT=$(find .cursor/rules/ -name '*.mdc' -print0 2>/dev/null | xargs -0 perl -wnE '
    BEGIN { $re = qr/\x{200D}|\x{200C}|\x{200B}|\x{202A}|\x{202B}|\x{202C}|\x{202D}|\x{202E}|\x{2066}|\x{2067}|\x{2068}|\x{2069}/ }
    print "$ARGV:$.:$_" if /$re/
  ' 2>/dev/null)

  FILES_FOUND=$(find .cursor/rules/ -name '*.mdc' -print 2>/dev/null)

  if [[ -z "$FILES_FOUND" ]]; then
    echo "Error: No .mdc files found in the directory."
  elif [[ -z "$OUTPUT" ]]; then
    echo "No suspicious Unicode characters found."
  else
    echo "Found suspicious characters:"
    echo "$OUTPUT"
  fi

- Can this be improved?

by fjni

2 subcomments

Both GitHub and Cursor’s response seems a bit lazy. Technically they may be correct in their assertion that it’s the user’s responsibility. But practically isn’t part of their product offering a safe coding environment? Invisible Unicode instruction doesn’t seem like a reasonable feature to support, it seems like a security vulnerability that should be addressed.

by lukaslalinsky

0 subcomment

I'm quite happy with spreading a little bit of scare about AI coding. People should not treat the output as code, only as a very approximate suggestion. And if people don't learn, and we will see a lot more shitty code in production, programmers who can actually read and write code will be even more expensive.

by t_believ-er873

0 subcomment

Recently, I've seen a lot of information on the internet on how attackers use AI to spread malware, like jailbreak vulnerabilities that allow attackers to modify the tool's behavior. Here is the good article also on the topic: https://gitprotect.io/blog/how-attackers-use-ai-to-spread-ma...

by yair99dd

0 subcomment

Reminds me of this wild paper https://boingboing.net/2025/02/26/emergent-misalignment-ai-t...

by AutoAPI

0 subcomment

Recent discussion: Smuggling arbitrary data through an emoji https://news.ycombinator.com/item?id=43023508

by Oras

0 subcomment

This is a vulnerability in the same sense as someone committing a secret key in the front end.
And for enterprise, they have many tools to scan vulnerability and malicious code before going to production.

by throwaway290

1 subcomments

Next thing, LLMs that review code! Next next thing, poisoning LLMs that review code!
Galaxy brain: just put all the effort from developing those LLMs into writing better code

by mock-possum

4 subcomments

Sorry, but isn’t this a bit ridiculous? Who just allows the AI to add code without reviewing it? And who just allows that code to be merged into a main branch without reviewing the PR?
They start out talking about how scary and pernicious this is, and then it turns out to be… adding a script tag to an html file? Come on, as if you wouldn’t spot that immediately?
What I’m actually curious about now is - if I saw that, and I asked the LLM why it added the JavaScript file, what would it tell me? Would I be able to deduce the hidden instructions in the rules file?

by TZubiri

0 subcomment

May god forgive me, but I'm rooting for the hackers on this one.
Job security you know?

by GenshoTikamura

0 subcomment

There is an equal unit of trouble per each unit of "progress"

by gregwebs

1 subcomments

Is there a proactive way to defend against invisible Unicode attacks?

by handfuloflight

2 subcomments

The cunning aspect of human ingenuity will never cease to amaze me.

by jdthedisciple

2 subcomments

simple solution:
preprocess any input to agents by restricting them to a set of visible characters / filtering out suspicious ones

by nektro

0 subcomment

hijacked scrollbar. cardinal sin.

by budmichstelk

0 subcomment

[dead]

by zx0r1

0 subcomment

[flagged]