Cybersecurity researchers have disclosed particulars of a brand new provide chain assault vector dubbed Guidelines File Backdoor that impacts synthetic intelligence (AI)-powered code editors like GitHub Copilot and Cursor, inflicting them to inject malicious code.
“This system allows hackers to silently compromise AI-generated code by injecting hidden malicious directions into seemingly harmless configuration recordsdata utilized by Cursor and GitHub Copilot,” Pillar safety’s Co-Founder and CTO Ziv Karliner stated in a technical report shared with The Hacker Information.
“By exploiting hidden unicode characters and complex evasion strategies within the mannequin going through instruction payload, menace actors can manipulate the AI to insert malicious code that bypasses typical code critiques.”
The assault vector is notable for the truth that it permits malicious code to silently propagate throughout tasks, posing a provide chain danger.
The crux of the assault hinges on the guidelines recordsdata which might be utilized by AI brokers to information their conduct, serving to customers to outline finest coding practices and challenge structure.
Particularly, it includes embedding fastidiously crafted prompts inside seemingly benign rule recordsdata, inflicting the AI device to generate code containing safety vulnerabilities or backdoors. In different phrases, the poisoned guidelines nudge the AI into producing nefarious code.
This may be achieved through the use of zero-width joiners, bidirectional textual content markers, and different invisible characters to hide malicious directions and exploiting the AI’s means to interpret pure language to generate susceptible code through semantic patterns that trick the mannequin into overriding moral and security constraints.
Following accountable disclosure in late February and March 2024, each Cursor and GiHub have said that customers are liable for reviewing and accepting solutions generated by the instruments.
“‘Guidelines File Backdoor’ represents a big danger by weaponizing the AI itself as an assault vector, successfully turning the developer’s most trusted assistant into an unwitting confederate, probably affecting hundreds of thousands of finish customers by way of compromised software program,” Karliner stated.
“As soon as a poisoned rule file is integrated right into a challenge repository, it impacts all future code-generation periods by workforce members. Moreover, the malicious directions typically survive challenge forking, making a vector for provide chain assaults that may have an effect on downstream dependencies and finish customers.”
