By NHI Mgmt Group Editorial TeamPublished 2025-11-05Domain: Cyber SecuritySource: Knostic

TL;DR: A malicious extension, injected JavaScript, or unvetted MCP input can turn a Cursor or VS Code derivative into a privileged execution environment with file-system access, extension modification, and restart-persistent code, according to Knostic. The attack class is old, but AI coding assistants widen the supply chain and workstation blast radius enough that IDE trust now needs explicit governance.


At a glance

What this is: This is an analysis of how malicious extensions and injected scripts can hijack AI coding assistants running in Electron or Node.js contexts, giving attackers workstation-level control and persistence.

Why it matters: It matters because AI coding assistants sit inside developer trust boundaries, so IAM, PAM, secrets, and supply chain controls must now extend to IDE plugins, MCP servers, and prompt inputs.

By the numbers:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read Knostic's analysis of AI coding assistant extension abuse and IDE compromise


Context

AI coding assistants are not just productivity tools. In Electron and Node.js-based IDEs, they can become privileged runtime environments that inherit broad file-system and extension-management permissions. That changes the security model from a local editor problem into an identity, secrets, and supply chain problem at the developer workstation.

The article’s core point is that the attack class is not novel, but the scale of exposure has changed. Malicious extensions, compromised publishing pipelines, poisoned prompts, and unvetted MCP servers all expand the trust boundary around developer identity, NHI-like automation, and workstation access. That is a typical risk pattern for modern IDE ecosystems, not an edge case.


Key questions

Q: How should security teams govern AI coding assistants that run extensions and MCP servers?

A: Treat them as privileged development platforms, not lightweight tools. Require publisher verification, approved connector inventories, checksum validation, and controlled installation paths for extensions and MCP servers. The goal is to reduce the chance that untrusted code inherits the IDE’s system access and becomes a persistence point on developer workstations.

Q: Why do AI coding assistants create new workstation risk for IAM and PAM teams?

A: They expand the trust boundary into the developer endpoint, where local secrets, repository credentials, and privileged sessions may already exist. When the IDE can read files, alter extensions, or persist code after restart, a compromise can become a path into broader identity and access systems. That makes workstation privilege part of access governance.

Q: What should security teams get wrong about extension security in developer tools?

A: They often focus on the extension itself and miss the execution context it inherits. In an Electron or Node.js IDE, a malicious add-on can become an active payload with file-system access and persistence. The control problem is therefore provenance, runtime isolation, and monitoring, not just code review of the add-on package.

Q: Which controls matter most when an IDE compromise could expose secrets and repositories?

A: Prioritise short-lived credentials, tight extension allowlists, and integrity monitoring on IDE bundle files. If local tokens or SSH keys are exposed, an attacker can move from workstation access to repository tampering or downstream system access. Containment depends on limiting what the IDE can reach, read, and persist.


Technical breakdown

How Electron and Node.js make IDE code injection possible

Electron applications combine a browser-like renderer with Node.js access, which means injected JavaScript can cross from UI manipulation into local system capabilities when isolation is weak. In VS Code derivatives, the extension host and workbench code often run with enough privilege to reach files, modify UI state, and call internal services. The practical problem is not JavaScript itself, but the absence of a hard boundary between untrusted extension content and trusted IDE internals.

Practical implication: Treat the IDE runtime as a privileged execution environment, not a benign editor shell.

Why malicious extensions and MCP inputs become supply chain threats

A malicious extension is only one entry point. Unvetted MCP servers, poisoned prompts, and copied rules can all introduce code or instructions that execute inside the IDE’s trusted context. Because these components are frequently installed from external sources and then auto-updated or reused across teams, they create a software supply chain path into developer machines and downstream repositories. The threat is amplified when publishing pipelines or developer accounts are compromised, because distribution becomes automatic.

Practical implication: Control extension and MCP provenance with the same discipline used for package supply chains.

How persistence and file access turn an IDE into a malware platform

Once code executes in the IDE context, attackers can read local files, alter installed extensions, and persist logic that reattaches on restart. That gives them a durable foothold for credential theft, repository tampering, and exfiltration from developer workstations. In practical terms, the IDE becomes both a launch point and a relay point across repositories, vaults, and production access paths if tokens or secrets are accessible locally.

Practical implication: Assume any IDE compromise can become a workstation-to-repository-to-production escalation path.


Threat narrative

Attacker objective: The attacker aims to gain durable control over the developer workstation and use that trust position to steal secrets, alter code, and propagate malicious activity into connected systems.

  1. Entry occurs through a malicious extension, poisoned prompt, or other untrusted IDE input that executes inside the Electron or Node.js context.
  2. Escalation follows because the injected code inherits IDE privileges, enabling file reads, UI manipulation, extension replacement, and persistent modification.
  3. Impact is achieved when the attacker uses the IDE foothold to steal credentials, alter code, or turn the workstation into a malware and exfiltration platform.

NHI Mgmt Group analysis

IDE trust is becoming a governance problem, not just a developer tooling problem. When AI coding assistants accept extensions, MCP servers, prompts, and rules from external sources, the security boundary shifts from the IDE vendor to the enterprise’s own intake controls. That means supply chain governance now extends into developer workstations, where unvetted components can act like privileged software. Practitioners should manage IDE inputs as controlled dependencies, not convenience features.

Workstation privilege is the real asset being abused here. The most dangerous part of these attacks is not visual tampering in the UI, but the fact that the runtime can reach files, persistence mechanisms, and extension state. That makes developer endpoints part of the privileged access plane, especially when secrets, tokens, and repository credentials are stored locally. Teams should treat IDE compromise as a precursor to broader identity and NHI exposure.

Extension provenance is the named control gap this attack pattern exploits. The article shows that a single untrusted component can inherit the IDE’s trust and survive restarts, which is a classic provenance failure. In NHIMG terms, this is a trust intake problem, not a patching problem. Practitioners should validate publisher identity, update channels, and bundle integrity before allowing any extension or MCP server into the development environment.

Persistent code inside developer tooling collapses the separation between productivity and post-exploitation. Once a payload can reattach after restart, the attacker no longer needs repeated user interaction. That raises the operational value of IDE compromise because it can serve as a durable access path into repos, vaults, and production workflows. Security teams should place developer tooling inside their endpoint, PAM, and secrets governance model.

AI coding assistants should be governed as high-trust agent-adjacent systems. They are not autonomous agents in the strict sense, but they do run code, process prompts, and interact with tools in ways that extend enterprise attack surface. That makes them relevant to OWASP NHI-style controls, especially where extensions and connectors act as non-human access pathways. Practitioners should align IDE governance with the same identity and privilege controls used for other machine-mediated access.

What this signals

Developer tooling now needs the same identity and access scrutiny as any other privileged platform. The combination of extension intake, local secrets exposure, and persistent code means AI coding assistants can no longer sit outside core governance workflows. Teams should expect endpoint controls, PAM policy, and software supply chain review to converge around the IDE.

Extension provenance will become a measurable control surface. Security teams should track how many IDE add-ons, MCP servers, and assistant connectors are installed from outside approved channels, then correlate that number with secret exposure and repository risk. The more external inputs you allow, the more your workstation trust model depends on upstream discipline rather than local enforcement.

Persistent execution in the IDE collapses the gap between identity compromise and code compromise. Once an attacker can reattach after restart, the next objective is usually credential access rather than noisy malware behaviour. That makes developer endpoints a priority for identity-led monitoring, especially where local tokens or SSH material are present.


For practitioners

  • Lock down extension and MCP intake Allow only approved publishers, pinned versions, and reviewed connectors in developer IDEs. Require repository ownership verification, recent maintainer activity checks, and explicit security review before installation of any new extension or MCP server.
  • Verify bundle integrity on managed IDE builds Track checksums for workbench bundle files and product metadata, then alert on unauthorized edits or checksum drift. This is especially important on macOS, where bundle replacement can silently persist across launches.
  • Separate developer tooling from secret-bearing workflows Minimise local exposure of SSH keys, API tokens, and vault credentials on machines that run AI coding assistants. Use short-lived access, reduce cached secrets, and keep privileged tokens out of the IDE environment where possible.
  • Monitor IDE behaviour as an endpoint security signal Watch for unusual writes in IDE directories, outbound traffic to unknown domains, extension installation spikes, and unexpected file reads from home directories. Correlate those signals with developer identity and repository activity.
  • Treat compromised publishing pipelines as a distribution risk Review how extensions, packages, and assistant add-ons are published into your environment. A compromised publisher or automation pipeline can spread malicious code faster than manual user installation ever would.

Key takeaways

  • AI coding assistants can inherit enough privilege to turn a single malicious extension into workstation compromise and persistence.
  • The scale of the risk is driven by developer trust boundaries, not by whether the underlying JavaScript attack class is new.
  • Security teams should govern IDE inputs, local secrets, and bundle integrity together instead of treating them as separate problems.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0002 , Execution; TA0006 , Credential Access; TA0003 , PersistenceThe article describes code execution, secret theft, and restart-persistent footholds.
NIST CSF 2.0PR.AC-4Developer tooling extends access control into workstation and extension trust decisions.
NIST SP 800-53 Rev 5AC-6Least privilege is central when an IDE can read files and alter installed components.
CIS Controls v8CIS-5 , Account ManagementCompromised developer accounts and publishing pipelines can spread malicious extensions.
OWASP Non-Human Identity Top 10NHI-03Untrusted tool connections and persistent machine access map to non-human identity governance gaps.

Map IDE abuse paths to execution, credential access, and persistence techniques, then monitor for each on developer endpoints.


Key terms

  • Electron Runtime: Electron runtime refers to an application framework that combines browser rendering with Node.js capabilities. In security terms, it can blur the line between UI code and local system access if isolation is weak, which is why desktop apps built this way often inherit browser-style and workstation-style attack surfaces at the same time.
  • Extension Provenance: Extension provenance is the chain of trust showing where an add-on came from, who published it, and whether its distribution path is authentic. For developer tools, provenance matters because a trusted-looking extension can still carry malicious code, auto-update behaviour, or hidden dependencies that execute with elevated runtime access.
  • MCP Server: An MCP server is a tool endpoint exposed through the Model Context Protocol so AI systems can interact with external data or actions in a structured way. It becomes a governance issue when teams allow unreviewed servers to connect assistants to internal systems, because access and execution boundaries then depend on third-party trust.
  • Developer Workstation Blast Radius: Developer workstation blast radius is the amount of code, data, and access an attacker can reach after compromising a developer device. It is large when local secrets, repository credentials, and privileged tooling coexist on the same endpoint, because a single foothold can quickly expand into source control, cloud, and production paths.

What's in the full article

Knostic's full analysis covers the operational detail this post intentionally leaves for the source:

  • Step-by-step bundle injection and checksum-bypass mechanics for controlled research environments.
  • File-path examples and runtime hooks used to reach local data from the IDE context.
  • Detection ideas for bundle edits, rogue extensions, and suspicious outbound traffic from developer tools.
  • Practical recommendations for validating extension provenance before installation.

👉 Knostic's full post covers the attack chain, persistence mechanics, and defensive checks in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps security practitioners connect identity controls to the broader access paths that modern development tooling creates.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-11-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org