Blog

You are currently viewing Engineers Warn of Real Dangers in AI Coding Agents
Featured image for Engineers Warn of Real Dangers in AI Coding Agents

Engineers Warn of Real Dangers in AI Coding Agents

  • Post author:
  • Post category:News
  • Post comments:0 Comments

Engineers Warn of Real Dangers in AI Coding Agents

Image sourced from cyberscoop.com
Image sourced from cyberscoop.com

AI coding agents promise to speed up development, but engineers and researchers keep finding hard evidence they can backfire badly. From security holes that let attackers steal data or run code on your machine to workflow tricks that hijack your repos, these tools carry risks developers can’t ignore. Even on the productivity side, one engineer says they barely help and often add bugs.

Over 30 Vulnerabilities Let Attackers Steal Data and Run Code

Security researcher Ari Marzouk dug into popular AI-powered IDEs like Cursor, GitHub Copilot, Zed.dev, and Roo Code. He found more than 30 flaws, dubbed IDEsaster, that chain prompt injections with normal IDE features for data theft and remote code execution. Twenty-four got CVE numbers.

Marzouk told The Hacker News the big shock was how every tested AI IDE fell to similar attack chains. Attackers slip past LLM guardrails, use auto-approved tool calls, then trigger legit IDE actions to leak files or execute commands.

Examples include:

  • CVE-2025-49150 in Cursor and others: Prompt tricks an agent to read sensitive files and write a JSON with a remote schema, leaking data when the IDE fetches it.
  • CVE-2025-53773 in GitHub Copilot: Edits settings like php.validate.executablePath to run malicious code.
  • CVE-2025-64660: Tweaks workspace files for code execution, often without user input if auto-approvals are on.

Marzouk’s fixes: Stick to trusted projects, watch MCP servers, check added sources for hidden prompts. AI IDE makers should limit tool privileges and sandbox commands.

AI Agents Hijack GitHub Workflows Too

Aikido researchers showed how AI coding tools from Google Gemini, Claude Code, OpenAI Codex, and GitHub get turned against devs in real GitHub Actions and GitLab pipelines. Malicious commit messages or PRs inject prompts that LLMs treat as orders.

Rein Daelman at Aikido called it a first real-world hit on workflows. Attackers confuse the LLM into seeing data as instructions, leading to shell commands, repo edits, or token leaks—even from outsiders filing issues. They fixed it in Gemini CLI after Aikido’s report, but Daelman says the core problem hits most models. Check CyberScoop’s coverage for details on how Claude and Codex bypass write limits.

Limited Time Savings and Sneaky Bugs

A software engineer with decades in C++, Delphi, and more shared his take in The Register: AI assistants don’t cut much time and slip in subtle bugs unless you review everything. He urges staying in control and thinking for yourself, based on daily use in code, tests, and planning. No big transformation—just tweaks to habits.

Similar views come from VentureBeat on brittle context windows and broken refactors, WebProNews on the demo-deploy gap, and another VentureBeat warning against replacing engineers with AI.

These warnings add up: AI coding agents expand attack surfaces and demand constant checks. Engineers see the limits clearly.

More stories at letsjustdoai.com

Seb

I love AI and automations, I enjoy seeing how it can make my life easier. I have a background in computational sciences and worked in academia, industry and as consultant. This is my journey about how I learn and use AI.

Leave a Reply