“Sadly, due to the pure language nature of immediate injections, blocking them utilizing classifiers or any sort of blacklisting isn’t sufficient,” they mentioned in their report. “There are simply too some ways to write down them, hiding them behind benign matters, utilizing completely different phrasings, tones, languages, and many others. Identical to we don’t contemplate malware mounted as a result of one other pattern made it right into a deny checklist, the identical is true for immediate injection.”
Hijacking Cursor coding assistant by way of Jira tickets
As a part of the identical analysis effort, Zenity additionally investigated Cursor, some of the standard AI-assisted code editors and IDEs. Cursor can combine with many third-party instruments, together with Jira, some of the standard undertaking administration platforms used for challenge monitoring.
“You’ll be able to ask Cursor to look into your assigned tickets, summarize open points, and even shut tickets or reply robotically, all from inside your editor. Sounds nice, proper?” the researchers mentioned. “However tickets aren’t at all times created by builders. In lots of corporations, tickets from exterior programs like Zendesk are robotically synced into Jira. Which means that an exterior actor can ship an e mail to a Zendesk-connected help tackle and inject untrusted enter into the agent’s workflow.”
