A scan of 100 applications built with AI code editors found that 67% contained at least one critical vulnerability. That number alone should make every developer using Cursor, GitHub Copilot, or Windsurf pause and think about what they're shipping.
The security surface of AI-powered code editors has expanded fast over the past year, and the findings are not pretty. Three published CVEs against Cursor, a systemic vulnerability pattern across every major AI IDE, and an attack technique that hides malicious instructions in characters humans literally cannot see.
The Rules File Backdoor
Researchers at Pillar Security demonstrated an attack where malicious directives are embedded in AI configuration files using invisible Unicode characters like zero-width joiners and bidirectional text markers. These characters don't show up in code reviews or even in GitHub pull request diffs, but AI models can read them just fine.
Once triggered, the AI silently injects malicious code: script tags loading attacker-controlled payloads, disabled security controls, weakened cryptography, or credential exfiltration. The developer never sees a warning because the instructions are literally invisible.
This is not a theoretical attack. It works against both Cursor's .cursor/rules directory and GitHub Copilot's instruction files.
Three CVEs, One IDE
Cursor specifically has been hit with three CVEs:
- CVE-2025-54135 (CurXecute) - Malicious content causes Cursor's AI to rewrite MCP configuration files (MCP is the Model Context Protocol that lets AI tools interact with external services) and execute arbitrary commands with full developer privileges.
- CVE-2025-54136 (MCPoison) - An attacker commits an innocent-looking MCP config to a shared repo, then modifies it to run backdoor commands on every team member's machine.
- CVE-2025-59944 - A case-sensitivity bug in file path handling bypasses Cursor's file protections, enabling remote code execution. Patched in version 1.7 and above.
Beyond Cursor, security researcher Ari Marzouk found vulnerabilities across 100% of tested AI IDEs in a sweep dubbed "IDEsaster," affecting Cursor, Windsurf, GitHub Copilot, Zed.dev, Roo Code, Junie, Cline, and Kiro.dev. The problem is systemic, not limited to one vendor.
What AI-Generated Code Actually Looks Like
The vulnerability scan numbers paint a clear picture of what happens when developers trust AI output without review:
- 43% of scanned apps had IDOR issues (Insecure Direct Object References, where one user can access another user's data by changing an ID in the URL)
- 31% had inverted authentication logic - the code checks permissions backwards
- 22% had hardcoded API secrets sitting in the source code
AI models trained on public codebases reproduce the insecure patterns in their training data. They're very good at writing code that looks correct and runs correctly but fails silently on security.
The supply chain angle is equally concerning. An Ethereum core developer had their crypto wallet drained after installing a typosquatted Cursor extension. Amazon Q's VS Code extension was briefly compromised with prompts that attempted to wipe local files.
Practical Steps That Actually Help
None of this means you should stop using AI coding tools. But treating AI-generated code as trusted code is a mistake. A few concrete steps:
- Run SAST tools on every AI-generated commit. Static analysis catches the patterns AI models love to reproduce: hardcoded secrets, broken auth logic, injection vulnerabilities.
- Audit your AI config files. Treat
.cursor/rules, Copilot instructions, and MCP configs with the same rigor as code reviews. Check for invisible Unicode characters. - Update your tools. Cursor 1.7+ patches all three known CVEs.
- Never paste real credentials into AI chat. These tools lack robust sandboxing, and agents can access files you didn't intend to share.
- Review MCP configurations before approving them. MCP servers can execute shell commands, read SSH keys, and access sensitive data.
AI code editors are genuinely useful. They're also running with more access to your system than most developers realize. The tools are improving, but right now the security model is "trust the AI and hope for the best." That's not good enough for production code.