Embrace The Red

This is the first post in a series exploring security vulnerabilities in Windsurf. If you are unfamiliar with Windsurf, it is a fork of VS Code and the coding agent is called Windsurf Cascade.

The attack vectors we will explore today allow an adversary during an indirect prompt injection to exfiltrate data from the developer’s machine.

These vulnerabilities are a great example of Simon Willison’s lethal trifecta pattern.

Overall, the security vulnerability reporting experience with Windsurf has not been great. All findings were responsibly disclosed on May 30, 2025, and receipt was acknowledged a few days later. However, all further inquiries regarding bug status or fixes remain unanswered. The recent business disruptions and departure of CEO and core team members certainly put Windsurf in the news.

The Amazon Q Developer VS Code Extension (Amazon Q) is a very popular coding agent, with over 1 million downloads.

In previous posts we showed how prompt injection vulnerabilities in Amazon Q could lead to:

• Exfiltration of sensitive information from the user’s machine , and also to a
• System compromise by running arbitrary code

Today we will show how an attack can leverage invisible Unicode Tag characters that humans cannot see. However, the AI will interpret them as instructions, and this can be used to invoke tools and other nefarious actions.

The Amazon Q Developer VS Code Extension (Amazon Q) is a popular coding agent, with over 1 million downloads.

The extension is vulnerable to indirect prompt injection, and in this post we discuss a vulnerability that allowed an adversary (or also the AI for that matter) to run arbitrary commands on the host without the developer’s consent.

The resulting impact of the vulnerability is the same as CVE-2025-53773 that Microsoft fixed in GitHub Copilot, however AWS did not issue a CVE when patching the vulnerabiliy.

The next three posts will cover high severity vulnerabilities in the Amazon Q Developer VS Code Extension (Amazon Q Developer), which is a very popular coding agent, with over 1 million downloads.

It is vulnerable to prompt injection from untrusted data and its security depends heavily on model behavior.

At a high level Amazon Q Developer can leak sensitive information from a developer’s machine, e.g. API keys, to external servers via DNS requests. An adversary can also exploit this behavior during an indirect prompt injection attack.

In this post we discuss a vulnerability that was present in Amp Code from Sourcegraph by which an attacker could exploit markdown driven image rendering to exfiltrate sensitive information.

This vulnerability is common in AI applications and agents, and it’s actually similar to one we discussed last year in GitHub Copilot which Microsoft fixed.

Exploit Demonstration

For the proof-of-concept I use a pre-existing demo that created a longer time ago. It happened to just work with Amp as well. The prompt injection is hosted on a website which asks the AI to “backup” information to a third-party site by rendering an image and including previous chat data as a query parameter.

In this post we will look at Amp, a coding agent from Sourcegraph. The other day we discussed how invisible instructions impact Google Jules.

Turns out that many client applications are vulnerable to these kinds of attacks when they use models that support invisible instructions, like Claude.

Invisible Unicode Tag Characters Interpreted as Instructions

We have talked about hidden prompt injections quite a bit in the past, and so I’m keeping this short.

The latest Gemini models quite reliably interpret hidden Unicode Tag characters as instructions. This vulnerability, first reported to Google over a year ago, has not been mitigated at the model or API level, hence now affects all applications built on top of Gemini.

This includes Google’s own products and services, like Google Jules.

Hopefully, this post helps raise awareness of this emerging threat.

Invisible Prompt Injections in GitHub Issues

When Jules is asked to work on a task, such as a GitHub issue, it is possible to plant invisible instructions into a GitHub issue to add backdoor code, or have it run arbitrary commands and tools.

In the previous post, we explored two data exfiltration vectors that Jules is vulnerable to and that can be exploited via prompt injection. This post takes it further by demonstrating how Jules can be convinced to download malware and join a remote command & control server.

This research was performed in May 2025 and findings were shared with Google.

Remote Command & Control - Proof Of Concept

The basic attack chain follows the classic AI Kill Chain:

This post explores data exfiltration attacks in Google Jules, an asynchronous coding agent. This is the first of three posts that will highlight my research on Google Jules in May 2025. All information provided was also shared with Google at that time.

This first post will focus on data exfiltration, the lethal trifecta.

But let’s first talk about Jules’ system prompt.

Jules’ System Prompt and Multiple Agents

To grab the system prompt I just asked it to write it into a file.

This post is about an important, but also scary, prompt injection discovery that leads to full system compromise of the developer’s machine in GitHub Copilot and VS Code.

It is achieved by placing Copilot into YOLO mode by modifying the project’s settings.json file.

As described a few days ago with Amp, a vulnerability pattern in agents that might be overlooked is that if an agent can write to files and modify its own configuration or update security-relevant settings it can lead to remote code execution. This is not uncommon and is an area to always look for when performing a security review.

Today we cover Claude Code and a high severity vulnerability that Anthropic fixed in early June. The vulnerability allowed an attacker to hijack Claude Code via indirect prompt injection and leak sensitive information from the developer’s machine, e.g. API keys, to external servers by issuing DNS requests.

Prompt Injection Hijacks Claude

When reviewing or interacting with untrusted code or processing data from external systems, Claude Code can be hijacked to run bash commands that allow leaking of sensitive information without user approval.

Today we have another post about OpenHands from All Hands AI. It is a popular agent, initially named “OpenDevin”, and recently the company also provides a cloud-based service. Which is all pretty cool and exciting.

Prompt Injection to Full System Compromise

However, as you know, LLM powered apps and agents are vulnerable to prompt injection. That also applies to OpenHands and it can be hijacked by untrusted data, e.g. from a website. That impacts Confidentiality, Integrity, and Availability of the system.

Another day, another AI data exfiltration exploit. Today we talk about OpenHands, formerly referred to as OpenDevin. It’s created by All-Hands AI.

The OpenHands agent renders images in chat, which enables zero-click data exfiltration.

Simon Willison recently gave this data exfiltration attack pattern a great name: Lethal Trifecta.

We discuss this specific image based attack technique frequently. Sometimes a message must be repeated multiple times to raise awareness and become mainstream knowledge.

Today let’s explore Devin’s system prompt a bit more. Specifically, an interesing tool that I discovered when reading through it.

Hidden in Devin’s capabilities is a tool that can open any local port to the public Internet. That means, with the right indirect prompt injection nudge, Devin can be tricked into publishing sensitive files or services for anyone to access.

In this post we show how an attacker can make Devin send sensitive information to third-party servers, via multiple means. This post assumes that you read the first post about Devin as well.

But here is a quick recap: During an indirect prompt injection Devin can be tricked into download malware and extract sensitive information on the machine. But there is more…

Today we cover Devin AI from Cognition, the first AI Software Engineer.

We will cover Devin proof-of-concept exploits in multiple posts over the next few days. In this first post, we show how a prompt injection payload hosted on a website leads to a full compromise of Devin’s DevBox.

GitHub Issue To Remote Code Execution

By planting instructions on a website or GitHub issue that Devin processes, it can be tricked to download malware and launch it. This leads to full system compromise and turns Devin into a remote-controlled ZombAI. Any exposed secrets can then be leveraged to perform lateral movement, or other post-exploitation steps.

Sandbox-escape-style attacks can happen when an AI is able to modify its own configuration settings, such as by writing to configuration files.

That was the case with Amp, an agentic coding tool built by Sourcegraph.

The AI coding agent could update its own configuration and:

• Allowlist bash commands or
• Add a malicious MCP server on the fly to run arbitrary code

This could have been exploited by the model itself, or during an indirect prompt injection attack as we will demonstrate in this post.

Cursor is a popular AI code editor. In this post I want to share how I found an interesting data exfiltration issue, the demo exploits built and how it got fixed.

When using Cursor I noticed that it can render Mermaid diagrams.

Cursor Renders Mermaid Diagrams

If you are not familiar with Mermaid, it has a simple syntax:

graph TD User --> Computer

This will create a diagram as follows:

A few months ago I was looking at the filesystem MCP server from Anthropic.

The server allows to give an AI, like Claude Desktop, access to the local filesystem to read files or edit them and so forth.

I was curious about access control and in the documentation there is a configuration setting to set allowedDirectories, which the AI should be allowed access to:

As you can see the example shows two folders being allowlisted for access.

Today we cover ChatGPT Codex as part of the Month of AI Bugs series.

ChatGPT Codex is a cloud-based software engineering agent that answers codebase questions, executes code, and drafts pull requests.

In particular, this post will demonstrate how Codex is vulnerable to prompt injection, and how the use of the “Common Dependencies Allowlist” for Internet access enables an attacker to recruit ChatGPT Codex into a malware botnet.