{"id":388452,"date":"2026-01-24T18:50:19","date_gmt":"2026-01-24T18:50:19","guid":{"rendered":"https:\/\/www.newsbeep.com\/uk\/388452\/"},"modified":"2026-01-24T18:50:19","modified_gmt":"2026-01-24T18:50:19","slug":"developer-proves-ai-agents-can-be-reprogrammed-via-new-exploit","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/uk\/388452\/","title":{"rendered":"Developer proves AI agents can be reprogrammed via new exploit"},"content":{"rendered":"

A new VS Code exploit can rewrite AI agents<\/a> across all code repositories, an application security specialist demonstrated Thursday.<\/p>\n

On Wednesday, the SANS Technology Institute<\/a> reported on new zero-click exploit that only requires developers open the folder in affected editors. The VS Code exploit<\/a>\u00a0involves a malicious tasks.json file that silently runs inside code editors. It was originally identified by Oasis<\/a>, along with a recommended mitigation developers could apply.<\/p>\n

Within 24 hours, Isaac Lewis<\/a> showed how the exploit can be used\u00a0<\/a>to rewrite AI agents<\/a> created within the AI-native\u00a0code editor Cursor<\/a>. In Cursor, the Oasis remediations disable the AI features, Lewis said when contacted via Bluesky.<\/p>\n

Cursor is a fork of the open source VS Code<\/a> and has been used by 31% of companies in the last year, according to an October survey conducted by Sonar<\/a>.<\/p>\n

Lewis warned, however, that the VS Code exploit could be used on other code editors.<\/p>\n

\u201cThat got me thinking: Could I use this to reprogram a developer\u2019s AI agents and get them to do what I want? Even worse \u2014 could I do this to all their code repositories?\u201d he wrote. \u201cTurns out: Hell yes.\u201d<\/p>\n

He added that while many developers are using AI tools<\/a> to help write code, these code editors come with \u201ca lot of new vulnerabilities.\u201d<\/p>\n

\u201cIf the tools are given malicious instructions, they could sabotage your code in subtle ways that are hard to detect,\u201d he stated. \u201cIt is quite easy to get these genAI tools to exfiltrate sensitive developer information like keys, secrets, certificates, and passwords \u2014 so, if an attacker can manipulate the way your genAI tools behave, they can create a persistent threat in your codebase.\u201d<\/p>\n

The exploit creates the possibility of a \u201cdistributed persistent threat,\u201d implanting itself in a developer\u2019s codebase and then spreading to the codebases of all the developers on a team, according to Lewis.<\/p>\n

In his proof-of-concept, which requires no user interaction, he changed the natural-language Cursor prompts to modify the AI agent\u2019s behavior so that it could only speak Spanish. He was able to keep the cause invisible to the developer, he added.<\/p>\n

\u201cThe first thing I wanted to write was the mechanism for finding .cursor folders. I limited myself to macOS to simplify things \u2014 I wanted something that was quick, quiet, and found folders that would already be given permission by the operating system so that Cursor wouldn\u2019t suspiciously ask for new permissions,\u201d he wrote.<\/p>\n

He realized, though, that it would be quicker to look for .cursor directories in neighboring repositories to the one he was in. After finding the cursor folders, he added the full payload.<\/p>\n

Then he hid the rule files from the developer.<\/p>\n

\u201cBy telling it to run on folderOpen, this [malicious] task will run whenever Cursor navigates to this folder, regardless of where that folder is,\u201d he wrote. \u201cThen if we tell it to never reveal, it won\u2019t give the developer any indication this task is running.\u201d<\/p>\n

In addition to his detailed blog about the exploit<\/a>, he published a GitHub repository for the exploit<\/a>.<\/p>\n

Lewis told The New Stack via Bluesky<\/a> that the only fix is to enable Workspace Trust and thoroughly reading the tasks.json file outside of VSCode and Cursor.<\/p>\n

Lewis is a senior software developer and application security specialist at SIGN Fracture Care International, a humanitarian aid organization focusing on orthopedic trauma care. He contributes to OWASP Application Security Vulnerability Standard (ASVS)<\/a> and has spoken at a number of conferences, including IntroSecCon.<\/p>\n

For more on the security challenges created by coding with AI, check out The New Stack Senior Editor Darryl Taft\u2019s article, \u201cVibe coding could cause catastrophic \u2018explosions\u2019 in 2026.<\/a>\u201d<\/p>\n

Editor\u2019s Note: Story updated at 8:40 a.m. to reflect that Oasis identified the exploit and to include comments from Lewis sent via Bluesky.<\/p>\n

\t<\/p>\n

\n\t\t\t\tYOUTUBE.COM\/THENEWSTACK\n\t\t\t<\/p>\n

\n\t\t\t\tTech moves fast, don’t miss an episode. Subscribe to our YouTube
\n\t\t\t\tchannel to stream all our podcasts, interviews, demos, and more.\n\t\t\t<\/p>\n

\t\t\t\tSUBSCRIBE<\/p>\n

\t<\/a><\/p>\n

Group
\n Created with Sketch.<\/p>\n

\t\t<\/p>\n

\t\t\t\t\t<\/p>\n

\n\t\t\t\t\t\t\tLoraine Lawson is a veteran technology reporter who has covered technology issues from data integration to security for 25 years. Before joining The New Stack, she served as the editor of the banking technology site Bank Automation News. She has…\t\t\t\t\t\t<\/p>\n

\t\t\t\t\t\tRead more from Loraine Lawson\t\t\t\t\t\t<\/p>\n

\t\t<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"A new VS Code exploit can rewrite AI agents across all code repositories, an application security specialist demonstrated…\n","protected":false},"author":2,"featured_media":388453,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[554,733,4308,86,56,54,55],"class_list":{"0":"post-388452","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-ai","9":"tag-artificial-intelligence","10":"tag-artificialintelligence","11":"tag-technology","12":"tag-uk","13":"tag-united-kingdom","14":"tag-unitedkingdom"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts\/388452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/comments?post=388452"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts\/388452\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/media\/388453"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/media?parent=388452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/categories?post=388452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/tags?post=388452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}