Researchers from Pillar Security have uncovered a previously undocumented supply chain attack vector that threatens the integrity of AI-powered code development tools.
Dubbed the ‘Rules File Backdoor,’ the technique enables cybercriminals to silently compromise AI-generated code by injecting malicious instructions into seemingly innocuous configuration files used by popular AI-driven code editors, such as Cursor and GitHub Copilot.
By exploiting hidden unicode characters and employing advanced evasion techniques, attackers can subtly alter the behavior of AI models making them produce malicious code that goes undetected by human security teams.
The attack relies on configuration files, so called ‘rule files’ that define coding standards, project architecture, and best practices. Pillar Security's investigation reveals a weakness in how AI assistants process contextual information from the shared rule files, particularly during the code review process on platforms like GitHub.
The attack payload is encoded in a text format undetectable to human reviewers. The invisible characters evade any typical human-based review processes, bypassing ‘human-in-the-loop’ protection measures.
The injected instructions specifically command the AI to exclude any mention of the malicious code changes in its responses, effectively erasing logs or references that could alert developers to suspicious behavior.
Using subtle linguistic patterns and context manipulation, the attacker exploits the AI’s understanding of language to guide it toward vulnerable or backdoor-laden code.
“What makes “Rules Files Backdoor” particularly dangerous is its persistent nature. Once a poisoned rule file is incorporated into a project repository, it affects all future code-generation sessions by team members. Furthermore, the malicious instructions often survive project forking, creating a vector for supply chain attacks that can affect downstream dependencies and end users,” the researchers noted.
