Ari “MaccariTA” Marzouk

If you haven’t the first time, you should definitely follow me on X or connect on LinkedIn (or both) Summary In December 2025, I published IDEsaster which introduced a novel vulnerability class affecting AI Integrated Development Environments (IDEs): chaining prompt injection through auto-approved agent tools into base IDE features (settings files, multi-root workspaces, remote JSON schemas) to achieve data exfiltration and remote code execution without user interaction. The industry response was immedidate. Nearly 30 vulnerabilities patched across 12 vendors, sandboxing features and e-gress controls implemented. This was in addition to denylisting IDE files (.vscode/settings.json, *.code-workspace, .idea/workspace.xml, etc.) so that the AI agent must request human approval before writing to them. IDEsaster 2.0 demonstrates that this mitigation is not sufficient by itself as the architectural risks go deeper than previously understood. IDEsaster 2.0 demonstrates that this mitigation is structurally insufficient. ...

Don’t want to miss my next post? Follow me on X or connect on LinkedIn Summary We all know AI reshaped how we build software. Autocomplete evolved into AI agents that can autonomously act on behalf of the user. As vendors compete on “productivity” they add additional capabilities that significantly affect the security posture of their products. Around 6 months ago, I decided to dig into the world of AI IDEs and coding assistants because they were gaining popularity and it was clear they are here to stay. The first vulnerabilities I found were focused on narrow components - a vulnerable tool, writeable agent configuration or writeable MCP configuration that leads to anything from data exfiltration to remote code execution. Those issues are serious, but they only affect a single application at a time (and were publicly disclosed multiple times). ...