Cybersecurity researchers have disclosed particulars of a brand new provide chain assault vector dubbed Guidelines File Backdoor that impacts synthetic intelligence (AI)-powered code editors like GitHub Copilot and Cursor, inflicting them to inject malicious code.
“This method permits hackers to silently compromise AI-generated code by injecting hidden malicious directions into seemingly harmless configuration recordsdata utilized by Cursor and GitHub Copilot,” Pillar safety’s Co-Founder and CTO Ziv Karliner mentioned in a technical report shared with The Hacker Information.
“By exploiting hidden unicode characters and complex evasion methods within the mannequin dealing with instruction payload, menace actors can manipulate the AI to insert malicious code that bypasses typical code evaluations.”
The assault vector is notable for the truth that it permits malicious code to silently propagate throughout initiatives, posing a provide chain threat.
The crux of the assault hinges on the guidelines recordsdata which can be utilized by AI brokers to information their habits, serving to customers to outline finest coding practices and venture structure.
Particularly, it entails embedding rigorously crafted prompts inside seemingly benign rule recordsdata, inflicting the AI software to generate code containing safety vulnerabilities or backdoors. In different phrases, the poisoned guidelines nudge the AI into producing nefarious code.
This may be achieved through the use of zero-width joiners, bidirectional textual content markers, and different invisible characters to hide malicious directions and exploiting the AI’s means to interpret pure language to generate susceptible code by way of semantic patterns that trick the mannequin into overriding moral and security constraints.
Following accountable disclosure in late February and March 2024, each Cursor and GiHub have said that customers are accountable for reviewing and accepting solutions generated by the instruments.
“‘Guidelines File Backdoor’ represents a big threat by weaponizing the AI itself as an assault vector, successfully turning the developer’s most trusted assistant into an unwitting confederate, doubtlessly affecting thousands and thousands of finish customers by means of compromised software program,” Karliner mentioned.
“As soon as a poisoned rule file is included right into a venture repository, it impacts all future code-generation periods by group members. Moreover, the malicious directions usually survive venture forking, making a vector for provide chain assaults that may have an effect on downstream dependencies and finish customers.”
