Exploiting AI IDEs

Feb 17, 2026

Ari Marzuk, an offensive security researcher who exposed the “IDEsaster” vulnerabilities in AI coding tools. He discusses a new class of flaws rooted in shared IDE layers. Conversations cover why legacy tools fail with autonomous agents. He highlights low-barrier exploitation methods and the tension between developer productivity and security.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

From Playing With Cursor To New Class Discovery

Ari Marzuk began testing Cursor because he used it daily and wanted public work to showcase his skills.
After the first few bugs he recognized a repeating pattern that pointed to a new vulnerability class in the shared IDE layer.

INSIGHT

Shared IDE Base Layer Creates Wide Blast Radius

Many AI IDEs share a common base layer built on existing editors like VS Code or IntelliJ.
Targeting that shared layer creates a vulnerability class that affects multiple vendors at once.

INSIGHT

Legacy Systems Need A 'Secure For AI' Mindset

Legacy software wasn't designed for autonomous AI agents and needs a new 'secure for AI' mindset.
This gap likely exists across CI/CD, collaboration tools, and cloud infrastructure as AI is bolted on quickly.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

In this episode of Resilient Cyber, we will be sat down with Ari Marzuk, the researcher who published "IDEsaster", A Novel Vulnerability Class in AI IDE's.

We will be discussing the rise of AI-driven development and modern AI coding assistants, tools and agents, and how Ari discovered 30+ vulnerabilities impacting some of the most widely used AI coding tools and the broader risks around AI coding.

Ari's background in offensive security — Ari has spent the past decade in offensive security, including time with Israeli military intelligence, NSO Group, Salesforce, and currently Microsoft, with a focus on AI security for the last two to three years.
IDEsaster: a new vulnerability class — Ari's research uncovered 30+ vulnerabilities and 24 CVEs across AI-powered IDEs, revealing not just individual bugs but an entirely new vulnerability class rooted in the shared base IDE layer that tools like Cursor, Copilot, and others are built on.
"Secure for AI" as a design principle — Ari argues that legacy IDEs were never built with autonomous AI agents in mind, and that the same gap likely exists across CI/CD pipelines, cloud environments, and collaboration tools as organizations race to bolt on AI capabilities.
Low barrier to exploitation — The vulnerabilities Ari found don't require nation-state sophistication to exploit; techniques like remote JSON schema exfiltration can be carried out with relatively simple prompt engineering and publicly known attack vectors.
Human-in-the-loop is losing its effectiveness — Even with diff preview and approval controls enabled, exfiltration attacks still triggered in Ari's testing, and approval fatigue from hundreds of agent-generated actions is pushing developers toward YOLO mode.
Least privilege and the capability vs. security trade-off — The same unrestricted access that makes AI coding agents so productive is what makes them vulnerable, and history suggests organizations will continue to optimize for utility over security without strong guardrails.
Top defensive recommendations — Ari emphasized isolation (containers, VMs) as the single most important control, followed by enforcing secure defaults that can't be easily overridden, and applying enterprise-level monitoring and governance to AI agent usage.
What's next — Ari is turning his attention to newer AI tools and attack surfaces but isn't naming targets yet. You can follow his work on LinkedIn, X, and his blog at makarita.com.