ML Security PapersCuckoo Attack: Stealthy and Persistent Attacks Against AI-IDE
Xinpeng Liu 1, Junming Liu 1, Peiyu Liu 1, Han Zheng 2, Qinying Wang 2, Mathias Payer 2, Shouling Ji 1, Wenhai Wang 1
Published on arXiv
2509.15572
Prompt Injection
OWASP LLM Top 10 — LLM01
Insecure Plugin Design
OWASP LLM Top 10 — LLM07
Key Finding
End-to-end PoC successfully demonstrated stealthy, persistent malicious command execution across nine mainstream Agent and AI-IDE pairs without triggering user suspicion or security warnings.
Cuckoo Attack
Novel technique introduced
Modern AI-powered Integrated Development Environments (AI-IDEs) are increasingly defined by an Agent-centric architecture, where an LLM-powered Agent is deeply integrated to autonomously execute complex tasks. This tight integration, however, also introduces a new and critical attack surface. Attackers can exploit these components by injecting malicious instructions into untrusted external sources, effectively hijacking the Agent to perform harmful operations beyond the user's intention or awareness. This emerging threat has quickly attracted research attention, leading to various proposed attack vectors, such as hijacking Model Context Protocol (MCP) Servers to access private data. However, most existing approaches lack stealth and persistence, limiting their practical impact. We propose the Cuckoo Attack, a novel attack that achieves stealthy and persistent command execution by embedding malicious payloads into configuration files. These files, commonly used in AI-IDEs, execute system commands during routine operations, without displaying execution details to the user. Once configured, such files are rarely revisited unless an obvious runtime error occurs, creating a blind spot for attackers to exploit. We formalize our attack paradigm into two stages, including initial infection and persistence. Based on these stages, we analyze the practicality of the attack execution process and identify the relevant exploitation techniques. Furthermore, we analyze the impact of Cuckoo Attack, which can not only invade the developer's local computer but also achieve supply chain attacks through the spread of configuration files. We contribute seven actionable checkpoints for vendors to evaluate their product security. The critical need for these checks is demonstrated by our end-to-end Proof of Concept, which validated the proposed attack across nine mainstream Agent and AI-IDE pairs.
Key Contributions
- Cuckoo Attack: a two-stage (initial infection + persistence) attack that embeds executable malicious payloads in AI-IDE configuration files, achieving stealthy command execution without user awareness
- Analysis of supply chain attack propagation via shared configuration files across developer repositories
- Seven actionable vendor security checkpoints validated by an end-to-end PoC across nine mainstream Agent and AI-IDE pairs