Knostic

Lucian Constantin from CSO Online covers Knostic’s new research showing how Cursor’s new browser could be compromised via JavaScript injection.  Unlike VS Code, Cursor does not perform integrity checks on Cursor-specific features, and that difference makes Cursor’s runtime components a higher-risk target for tampering.  We demonstrate this insecurity by replacing the login pages within Cursor’s internal browser with a page that harvests credentials and sends them to a remote attacker.  Attacks on AI agents, and coding assistants specifically, expand the CI/CD boundaries, effectively extending the perimeter to the IDE and developer machines. This represents a fast-expanding supply chain risk for the enterprise. If you’re interesting in hearing more about how Knostic’s Kirin stops these attacks, send me a message!  Article: https://lnkd.in/dbAca7zE Research: https://lnkd.in/dZwr9myK

AI Supply Chain Risks: From AI Coding Assistants, MCP, and Extensions, to Prompts And Rules This webinar breaks down emerging AI supply chain risks, focusing on the most adopted agentic technology: AI coding assistants. From MCP and extensions to prompts and rules copied from the internet, these tools now pose a significant threat, expanding our perimeter to the IDE, and affecting the developer workstation, secrets vault, corporate network, and codebase. As the attack surface expands, so does attacker interest, and the urgency to control the risk.

The lineup is set for “Managing AI in Your Infrastructure: The Good, The Bad, and The Ugly” - a dynamic panel discussion happening next week in New York! Moderator: Joel Carlson, VP of Sales, Baz Our Panelists: Fareed C., Global Head of Sales Engineering, Torq Heather Linn, Researcher & Sales Engineer, Knostic Muhammad Ahsan, Solutions Advisor Tom Brennan, Principal Consultant, Proactive Risk These industry leaders bring deep experience across infrastructure, security, and AI deployment — sharing practical strategies for managing risk and driving responsible adoption. 📅 Wednesday, November 12 ⏰ 11:00 am – 1:00 pm (EST) 📍 Amazon JFK36 Office, 330 W. 34th Street, New York, NY Last seats available — Register here 👉 https://lnkd.in/ev3rsxbk Netgate | Torq | Baz | Proactive Risk #AI #AISecurity #Infrastructure #SecurityLeadership #NYCTech #PanelDiscussion #AIAdoption #Event #TechCommunity

A JavaScript injection attack on Cursor, facilitated by a malicious extension, can take over the IDE and the developer workstation. While we’re releasing a PoC, and it may even be unique, we’ve seen this kind of attack many times this past year alone. Our purpose is to deep dive into these attacks, understand why they continue to work, and suggest defensive approaches. Especially when it comes to cyber defense and AppSec (aside from Knostic wink wink), the industry doesn’t yet have capabilities in this realm. We demonstrate how an attacker can:  •⁠ ⁠Gain full file-system access •⁠ ⁠Modify or replace installed extensions  •⁠ ⁠Persist code that reattaches after restart. Impact: •⁠ ⁠Interpreter-level execution can directly call the file system and native APIs  •⁠ ⁠An attacker can inject JavaScript into the running IDE, fully controlling the UI. From a security program management perspective, AI coding assistants also increase the range of supply chain threats organizations must tackle. MCP servers, extensions, and even simple prompts and rules introduce third-party risks that push the CI/CD boundaries and extend the organizational perimeter to the developer’s workstation. Our blog: https://lnkd.in/dk_5Va39  – –  Knostic protects developers and AI coding agents against attacks such as these. Learn more: https://lnkd.in/du8w9RYJ

Exciting News! We’re thrilled to share that our very own Heather Linn will be joining the expert panel “Managing AI in Your Infrastructure: The Good, The Bad, and The Ugly.” This session will dive into how organizations can navigate AI’s risks, unlock its full potential, and implement proven, real-world strategies for secure and effective adoption. 📅 Date: Wednesday, November 12 ⏰ Time: 11:00 am – 1:00 pm (EST) 📍Location: JFK36 Amazon Office, 330 W. 34th Street, New York, NY Don’t miss this candid lunch panel exploring AI’s impact on infrastructure and operations, from tackling algorithmic bias to safeguarding data privacy. Seats are limited, so register now: https://lnkd.in/egc8_PZt

We’re sharing a few YARA rules for GlassWorm (targeting AI coding assistants through VS Code extensions), based on IOCs and the Unicode hidden characters (zero-width) attack. These rules are not perfect and can be fine-tuned further, but they should help get the job done. https://lnkd.in/d7CAJ3c9 To learn more about securing your AI coding agent, visit our site here: https://lnkd.in/eS5CBvXY Credit to Koi for the initial research. With thanks to Sherman and Moon.

This Wednesday it’s happening! [un]prompted: AI Security Researcher Meetup is around the corner and this is your last chance to RSVP, limited spots remaining! Join us for an amazing evening with talks from leading experts: - Sounil Yu (Knostic) – Mental Models and AI Security - Michael Bargury (Zenity) – 0click Enterprise Compromise – Thank You, AI! - Omer Nevo (Irregular) – Model Refusal - Amit Giloni (Fujitsu Research) – Multi-agent Systems Security - Bar Lanyado (Lasso) – Lateral Movement in Agentic Systems - Heather Linn (Knostic) – MCP Security Reality Check With your host, Gadi Evron Where: Azrieli Sarona Tower, Tel Aviv. When: October 29th, 6 pm to 10 pm. Register now before it’s too late: https://lnkd.in/e-jvNtyx #AISecurity #CyberSecurity #AIResearch #Unprompted #Knostic #TelAviv #Meetup

Live Breakdown: Ongoing Attacks on AI Coding Agents AI coding agents, the IDE, and developers themselves are actively exploited, and have become the new enterprise perimeter. Threat actors now target the developer environment itself, compromising extensions, MCP servers, and agentic tools to reach the CI/CD pipeline, production, and laterally move to the network. In this LinkedIn Live, we’ll examine the emerging threat landscape, common attack types, attack campaigns, including GlassWorm, a self-propagating malware that spread through the OpenVSX registry, and impacted IDEs and coding agents such as Cursor and Windsurf. You’ll learn: * How AI coding assistants are attacked * How recent threat campaigns exploit IDE ecosystems * Why AI coding agents expand the enterprise attack surface Practical defenses * And see a demo of Knostic’s solution to defend developers and coding agents, Kirin. Join to assess the state of AI coding agent security and learn how to reduce exposure to these emerging threats. #DeveloperSecurity #ThreatIntelligence #IDE #Cursor #MCP #Windsurf #LinkedInLive #AgentSecurity #AISecurity

You review code that looks perfectly safe. Your agent executes something completely different. Invisible characters such as U+200B (zero-width space) and U+202E (bidirectional override) look harmless but can hide malicious logic that compilers execute while appearing normal to human reviewers. How the attack work: Attackers embed invisible Unicode in VS Code extensions or AI configuration filesThese characters hide payloads, reorder code execution, or poison AI-generated codeGit diffs and syntax highlighters show no visible difference A single rules file can inject malicious logic into countless lines of code and persist across forks and supply chains. Read more here: https://lnkd.in/gRsTD2v2 At Knostic, we detect these invisible threats in real time. Learn more: https://lnkd.in/gMb44dav

You open a PDF. Your coding agent reads it. Your invoices now contain an attacker's payment details. Researcher Josh Devon just proved this attack is real, hijacking Claude Skills with white-on-white text. What are Skills? They let you teach Claude repeatable procedures it can load on demand, procedures that are callable, shareable, and composable. How the attack works: - Malicious actors hide instructions in white-on-white text within a PDF packaged with a skill - PDF parsers extract all text, including the hidden content - The coding agent reads these hidden tokens as legitimate instructions - Result: indirect prompt injection that can manipulate agent behavior within trusted workflows (for example, producing fraudulent invoices) Read Josh’s full blog here: https://lnkd.in/e8vvXDs2 At Knostic, we defend both the IDE and the developer against these emerging threats. If you’re interested in how we protect coding agents and secure the development environment, learn more here: https://lnkd.in/e7V8WkWV