AI coding assistants such as GitHub Copilot and Cursor could be manipulated to generate code containing backdoors, vulnerabilities and other security issues via distribution of malicious rule configuration files, Pillar Security researchers reported Tuesday.Rules files are used by AI coding agents to guide their behavior when generating or editing code. For example, a rules file may include instructions for the assistant to follow certain coding best practices, utilize specific formatting, or output responses in a specific language.The attack technique developed by Pillar Researchers, which they call “Rules File Backdoor,” weaponizes rules files by injecting them with instructions that are invisible to a human user but readable by the AI agent.Hidden Unicode characters like bidirectional text markers and zero-width joiners can be used to obfuscate malicious instructions in the user interface and in GitHub pull requests, the researchers noted.Rules configurations are often shared among developer communities and distributed through open-source repositories or included in project templates; therefore, an attacker could distribute a malicious rules file by sharing it on a forum, publishing it on an open-source platform like GitHub or injecting it via a pull request to a popular repository.Once the poisoned rules file is imported to GitHub Copilot or Cursor, the AI agent will read and follow the attacker’s instructions while assisting the victim’s future coding projects.In an example demonstrated by Pillar, a rules file that appeared to instruct the AI to “Follow HTML5 best practices” included hidden text containing further instructions to add an external script to the end of every file.The hidden prompt also included a jailbreak to bypass potential security checks, ensuring the AI that adding the script was necessary to secure the project and was part of company policy, as well as instructions to not mention the addition of the script in any responses to the user.The Pillar researchers found that both GitHub Copilot and Cursor followed the instructions to add the external script when asked to generate an HTML page, and that the addition of this script was not mentioned in the assistants’ natural language responses.The “Rules File Backdoor” could also potentially be used to introduce security vulnerabilities in generated code or create code that leaks sensitive information like database credentials or API keys, according to the researchers.Pillar disclosed the exploit to Cursor in February 2025 and GitHub in March 2025. Cursor said the issue was not due to a vulnerability in its platform and that it is users’ responsibility to manage the risk. GitHub similarly responded that users are responsible for reviewing and accepting code and suggestions generated by Copilot.About 97% of respondents to GitHub’s 2024 “AI in software development” survey said they have used generative AI both in and outside of work, demonstrating the prevalence of AI coding assistance among developers.Pillar recommended that developers review all rules files they use for potential malicious injections such as invisible Unicode or unusual formatting, and treat AI configuration files with the same scrutiny as executable code.AI-generated code should also be carefully reviewed, especially for unexpected additions like external resource references, the researchers wrote. Automated detection tools can also help to identify suspicious content in rules files or indicators of compromise in AI-generated code.
