.jpg)
.png)
Executive Summary
Pillar Security researchers have uncovered a dangerous new supply chain attack vector we've named "Rules File Backdoor." This technique enables hackers to silently compromise AI-generated code by injecting hidden malicious instructions into seemingly innocent configuration files used by Cursor and GitHub Copilot—the world's leading AI-powered code editors.
By exploiting hidden unicode characters and sophisticated evasion techniques in the model facing instruction payload, threat actors can manipulate the AI to insert malicious code that bypasses typical code reviews. This attack remains virtually invisible to developers and security teams, allowing malicious code to silently propagate through projects.
Unlike traditional code injection attacks that target specific vulnerabilities, “Rules File Backdoor” represents a significant risk by weaponizing the AI itself as an attack vector, effectively turning the developer's most trusted assistant into an unwitting accomplice, potentially affecting millions of end users through compromised software.
.png)
AI Coding Assistants as Critical Infrastructure
A 2024 GitHub survey found that nearly all enterprise developers (97%) are using Generative AI coding tools. These tools have rapidly evolved from experimental novelties to mission-critical development infrastructure, with teams across the globe relying on them daily to accelerate coding tasks.
This widespread adoption creates a significant attack surface. As these AI assistants become integral to development workflows, they represent an attractive target for sophisticated threat actors looking to inject vulnerabilities at scale into the software supply chain.
Rules File as a New Attack Vector
While investigating how development teams share AI configuration, our security researchers identified a critical vulnerability in how AI coding assistants process contextual information contained in rule files.
What is a Rules File?
Rule files are configuration files that guide AI Agent behavior when generating or modifying code. They define coding standards, project architecture, and best practices. These files are:
- Shared broadly: Stored in central repositories with team-wide or global access
- Widely adopted: Distributed through open-source communities and public repositories
- Trusted implicitly: Perceived as harmless configuration data that bypasses security scrutiny
- Rarely validated: Integrated into projects without adequate security vetting
Here's a Rules File example from Cursor's documentation:
.png)
Aside from personally creating the files, developers can also find them in open-source communities and projects such as:
During the research it was found that the review process for uploading new rules for these shared repos is also vulnerable as hidden unicode chars also appear invisible on the GitHub platform pull request approval process.
The Attack Mechanism
Our research demonstrates that attackers can exploit the AI's contextual understanding by embedding carefully crafted prompts within seemingly benign rule files. When developers initiate code generation, the poisoned rules subtly influence the AI to produce code containing security vulnerabilities or backdoors.
The attack leverages several technical mechanisms:
- Contextual Manipulation: Embedding instructions that appear legitimate but direct the AI to modify code generation behavior
- Unicode Obfuscation: Using zero-width joiners, bidirectional text markers, and other invisible characters to hide malicious instructions
- Semantic Hijacking: Exploiting the AI's natural language understanding with subtle linguistic patterns that redirect code generation toward vulnerable implementations
- Cross-Agent Vulnerability: The attack works across different AI coding assistants, suggesting a systemic vulnerability
What makes “Rules Files Backdoor” particularly dangerous is its persistent nature. Once a poisoned rule file is incorporated into a project repository, it affects all future code-generation sessions by team members. Furthermore, the malicious instructions often survive project forking, creating a vector for supply chain attacks that can affect downstream dependencies and end users.
Real-World Demonstration: Compromising AI-Generated Code in Cursor
Cursor's "Rules for AI" feature allows developers to create project-specific instructions that guide code generation. These rules are typically stored in a .cursor/rules directory within a project.
Here's how the attack works:
Step 1: Creating a Malicious Rule File
We created a rule file that appears innocuous to human reviewers:
.png)
However, the actual content includes invisible Unicode characters hiding malicious instructions:
Step 2: Generate an HTML File
We used Cursor's AI Agent mode with a simple prompt: "Create a simple HTML only page”
.png)
Step 3: Observe the Poisoned Output
The generated HTML file now contains a malicious script sourced from an attacker-controlled site.
.png)
What makes this attack particularly dangerous is that the AI assistant never mentions the addition of the script tag in its response to the developer. The malicious code silently propagates through the codebase, with no trace in the chat history or coding logs that would alert security teams.
Payload Breakdown
The attack payload contains several sophisticated components.
Let’s go over the different parts and explain how it works:
- Invisible Unicode Characters: This method encodes the entire attack payload within a text format that is undetectable to human reviewers but fully readable by AI models. This technique bypasses any "human-in-the-loop" protection measures.
- Jailbreak Storytelling: The payload uses a narrative structure to evade AI ethical constraints by framing the malicious action as a security requirement
- Hide logs and Manipulate the Developer: The instructions explicitly command the AI not to mention the code changes in its responses - in order to remove any logs from the Coding agent chat window that can raise developer suspicion
Together, these components create a highly effective attack that remains undetected during both generation and review phases.
The video below demonstrates the attack in a real environment, highlighting how AI-generated files can be poisoned via manipulated instruction files.
Real-World Demonstration: Compromising AI-Generated Code in GitHub Copilot
The following video demonstrates the same attack flow within the GitHub Copilot environment, showing how developers using AI assistance can be compromised.
Wide-Ranging Implications
The "Rules File Backdoor" attack can manifest in several dangerous ways:
- Overriding Security Controls: Injected malicious directives can override safe defaults, causing the AI to generate code that bypasses security checks or includes vulnerable constructs. In our example above, a seemingly innocuous HTML best practices rule was weaponized to insert a potentially malicious script tag.
- Generating Vulnerable Code: By instructing the AI to incorporate backdoors or insecure practices, attackers can cause the AI to output code with embedded vulnerabilities. For example, a malicious rule might direct the AI to:
- Prefer insecure cryptographic algorithms
- Implement authentication checks with subtle bypasses
- Disable input validation in specific contexts
- Data Exfiltration: A well-crafted malicious rule could direct the AI to add code that leaks sensitive information. For instance, rules that instruct the AI to "follow best practices for debugging" might secretly direct it to add code that exfiltrates:
- Environment variables
- Database credentials
- API keys
- User data
- Long-Term Persistence: Once a compromised rule file is incorporated into a project repository, it affects all future code generation. Even more concerning, these poisoned rules often survive project forking, creating a vector for supply chain attacks affecting downstream dependencies.
Attack Surface Analysis - Who is Affected?
Because rule files are shared and reused across multiple projects, one compromised file can lead to widespread vulnerabilities. This creates a stealthy, scalable supply chain attack vector, threatening security across entire software ecosystems.
Our research identified several propagation vectors:
- Developer Forums and Communities: Malicious actors sharing "helpful" rule files that unwitting developers incorporate
- Open-Source Contributions: Pull requests to popular repositories that include poisoned rule files
- Project Templates: Starter kits containing poisoned rules that spread to new projects
Mitigation Strategies
To mitigate this risk, we recommend the following technical countermeasures:
- Audit Existing Rules: Review all rule files in your repositories for potential malicious instructions, focusing on invisible Unicode characters and unusual formatting.
- Implement Validation Processes: Establish review procedures specifically for AI configuration files, treating them with the same scrutiny as executable code.
- Deploy Detection Tools: Implement tools that can identify suspicious patterns in rule files and monitor AI-generated code for indicators of compromise.
- Review AI-Generated Code: Pay special attention to unexpected additions like external resource references, unusual imports, or complex expressions.
Responsible Disclosure
Cursor
- February 26, 2025: Initial responsible disclosure to Cursor
- February 27, 2025: Cursor replied that they are investigating the issue
- March 6, 2025: Cursor replied and determined that this risk falls under the users' responsibility
- March 7, 2025: Pillar provided more detailed information and demonstration of the vulnerability implications
- March 8, 2025: Cursor maintained their initial position, stating it is not a vulnerability on their side
GitHub
- March 12, 2025: Initial responsible disclosure to GitHub
- March 12, 2025: GitHub replied and determined that users are responsible for reviewing and accepting suggestions generated by GitHub Copilot.
The responses above, which place these new kinds of attacks outside the AI coding vendors' responsibility, underscore the importance of public awareness regarding the security implications of AI coding tools and the expanded attack surface they represent, especially given the growing reliance on their outputs within the software development lifecycle.
Conclusion
The "Rules File Backdoor" technique represents a significant evolution in supply chain attacks. Unlike traditional code injection that exploits specific vulnerabilities, this approach weaponizes the AI itself, turning a developer's most trusted assistant into an unwitting accomplice.
As AI coding tools become deeply embedded in development workflows, developers naturally develop "automation bias"—a tendency to trust computer-generated recommendations without sufficient scrutiny. This bias creates a perfect environment for this new class of attacks to flourish.
At Pillar Security, we believe that securing the AI development pipeline is essential to safeguarding software integrity. Organizations must adopt specific security controls designed to detect and mitigate AI-based manipulations, moving beyond traditional code review practices that were never intended to address threats of this sophistication.
The era of AI-assisted development brings tremendous benefits, but also requires us to evolve our security models. This new attack vector demonstrates that we must now consider the AI itself as part of the attack surface that requires protection.
Appendix
OWASP Agentic AI Risk Classification
This vulnerability aligns with several categories in the OWASP Top 10 for Agentic AI:
AAI003: Agent Goal and Instruction Manipulation
The Cursor Rules Backdoor directly exploits how AI agents interpret and execute their assigned instructions. By manipulating rule files, attackers can cause the AI to act against its intended purpose while appearing to operate normally. This is particularly dangerous given the autonomous nature of AI agents, as compromised goals can lead to widespread unauthorized actions.
Key attack vectors include:
- Instruction Set Poisoning: Injecting malicious instructions into the agent's task queue
- Semantic Manipulation: Exploiting natural language processing to create deliberately misinterpreted instructions
- Goal Interpretation Attacks: Manipulating how the agent understands its objectives
AAI006: Agent Memory and Context Manipulation
The vulnerability also exploits how AI coding assistants store and utilize contextual information. By corrupting the agent's understanding of project context through rule files, attackers can influence its future decision-making processes.
This includes:
- Memory Poisoning: Deliberately corrupting an agent's stored context
- Context Amnesia Exploitation: Manipulating an agent's ability to maintain security constraints
- Cross-Session Data Leakage: Potentially accessing sensitive information across different sessions
AAI010: Agent Knowledge Base Poisoning
Through manipulating rule files, attackers effectively poison the knowledge base that the AI assistant relies on for decision-making. This affects the fundamental data and knowledge that guides agent behavior, causing systemic issues across all operations.
The attack involves:
- External Knowledge Manipulation: Modifying external data sources (rule files) that agents access
- Knowledge Base Corruption: Systematically manipulating the agent's stored knowledge and decision-making parameters
AAI012: Checker-out-of-the-Loop Vulnerability
The stealth nature of this attack explicitly exploits the lack of human oversight in AI-assisted coding workflows. Because of the use of hidden unicode characters, developers remain unaware when the AI has been compromised, resulting in a critical checker-out-of-the-loop scenario where:
- Alerts are suppressed: Code modifications occur without notifying the developer
- Decision irreversibility
References
Tags (Unicode block): https://en.wikipedia.org/wiki/Tags_(Unicode_block)
ASCII Smuggler Tool: Crafting Invisible Text and Decoding Hidden Codes: https://embracethered.com/blog/posts/2024/hiding-and-finding-text-with-unicode-tags/
.png)
.png)
