← All posts
AI Security February 22, 2026 5 min read

Your AI Coding Assistant Is Now the Weapon

Attackers planted English-language instructions inside a trusted tool. The AI followed them. No malware signatures. 4,000 machines hit.

Cracked android head on a workshop bench with exposed wiring being worked on by hands with fine tools

On February 17, 2026, an attacker did something that didn't exist in the threat model two years ago.

They fed hidden instructions to an AI coding tool. The AI, not knowing the difference between real tasks and planted ones, followed them. Those instructions told it to hand over the credentials that control who can publish software updates. Think of it like slipping a fake memo into someone's inbox that says "give me the keys to the supply room," and the person just... does it.

In security, this trick has a name: prompt injection. You hide instructions where an AI will read them, and the AI does what it's told.

With those stolen credentials, the attacker pushed a poisoned update to the tool. But instead of hiding malware in it, they planted more English-language instructions that called developers' own AI assistants with maximum permission flags.

The AI did the rest.

The target was Cline, a popular open-source AI coding assistant with hundreds of thousands of users. The bad package, cline@2.3.0, was live for about eight hours before it got pulled. In that window, it was downloaded roughly 4,000 times.

On each affected machine, the planted instructions quietly spun up OpenClaw, an AI agent with full disk access, shell execution and network reach. Not a virus. Not ransomware. An AI agent, running with permissions the developer had already given it, doing exactly what it was told.

Security researchers called the implant "exceptionally high-value." There were no malware signatures to catch because the attack wasn't malware. It was the developer's own tools following orders.

This is a new kind of attack

The classic supply chain attack works by hiding bad code in a trusted package. The payload is usually something you can spot: a backdoor, a key stealer, a keylogger. Security tools are built to flag these patterns.

The Cline attack is different. The payload isn't code. It's a prompt. Instructions written in plain English, tucked inside a real-looking package, that tell an AI agent what to do when it runs. The AI carries it out using access it already has.

It happened again ten days later. On February 27, attackers hit the OpenVSX registry (including the Aqua Trivy security scanning extension) and planted prompts that called Claude, Copilot and Gemini CLI with --dangerously-skip-permissions and --yolo flags. If you're naming your flags that honestly, maybe trust the label. The campaign hit seven major open-source projects at once. The attackers also deleted 178 GitHub releases, wiped a repo and stripped 32,000+ GitHub stars as collateral.

In both cases, the attack surface was the AI tools developers had installed to write code faster.

RoguePilot

The same week, Orca Security disclosed a separate flaw in GitHub Copilot inside Codespaces. They called it "RoguePilot."

It worked like this: an attacker hides instructions in a GitHub Issue using HTML comment tags. A developer opens a Codespace from that repo. Copilot reads the Issue, processes the hidden prompt and quietly builds a chain that steals the developer's GITHUB_TOKEN. That token grants full read/write access to the entire repo.

The developer doesn't click anything sketchy. They just open a project.

Microsoft patched it. But the core dynamic didn't change. AI coding assistants read content from the project around them on their own. They're designed to understand context. That same quality (reading files, scanning issues, grasping the codebase) is what makes them open to instructions hidden in that context.

Every IDE failed the same test

These aren't one-offs. In a seven-month research project across every major AI-powered IDE (Cursor, GitHub Copilot, Windsurf, JetBrains Junie, Cline, Claude Code, Gemini CLI), researchers found 30+ flaws and got 24 CVEs assigned.

Every single one was vulnerable to the same basic chain: prompt injection reaches the agent, the agent reaches the IDE's built-in tools, the tools reach the system. JSON schema theft. Settings overwrite for remote code execution. Workspace tampering.

IDEs were never built with AI agents in mind. The old security model assumed code runs when you tell it to. These AI systems process everything in the project the moment you open it. That's a different trust model, and the old walls don't hold.

The tradeoff

None of this means AI coding tools are a net negative. They've changed how code gets written, and for most developers the math still works in their favor.

But the things that make them good at their job (reading your files, knowing your codebase, running commands on your behalf) are the same things that make them useful to an attacker. The API keys, tokens, internal hostnames and private code in your dev setup are all part of what the AI sees. If a poisoned Issue or a bad dependency or a rogue extension gets into that context, it can use the AI to reach whatever the AI can reach.

The attack surface used to be your code. Now it includes your assistant.

BeatMask catches credentials, API keys and sensitive code patterns before they're sent to AI tools. At the source, before anything enters an agent's context.

AI Security Supply Chain Developer Tools Prompt Injection