Security teams spent the last decade turning laptops into locked-down fortresses, EDR agents everywhere, hardened configs, tight inventories, nonstop malware hunting. Now researchers say attackers are slipping in through a door many companies barely monitor: the developer’s coding environment.
At RSA Conference 2026 in San Francisco, Check Point Software’s chief technologist Oded Vanunu warned that AI-powered coding assistants, and the plugins, “hooks,” and automation they rely on, can be abused to run commands and move data in ways that look legitimate to endpoint defenses. Several high-severity flaws discussed at the conference have since been patched by vendors, but the bigger takeaway remains: the IDE is no longer just a text editor. It’s an orchestrator with real power on a machine that often holds the keys to the kingdom.
The new weak spot: “legit” developer workflows that don’t look like malware
Sommaire
- 1 The new weak spot: “legit” developer workflows that don’t look like malware
- 2 Check Point’s warning at RSAC: the IDE is now a prime attack surface
- 3 A “swap attack” in Cursor shows how approvals can be gamed
- 4 Claude Code hooks and a trust dialog that can arrive too late
- 5 Prompt injection and supply-chain risk: the blast radius can extend to customers
- 6 What defenders are pushing: real-time controls inside the IDE, not just after the fact
- 7 Key Takeaways
- 8 Frequently Asked Questions
- 9 Sources
The core shift is simple. Attackers don’t always need to drop a sketchy executable like “malware.exe” to get code running on a developer’s machine. Instead, they can target configuration files, plugin systems, automation scripts, and AI prompts, mechanisms that development tools are designed to trust.
That creates a nightmare for security operations centers. When a command is launched by an approved dev tool inside a normal workflow, it can blend into the noise. Even strong EDR products are tuned to spot suspicious artifacts and behavior patterns; “expected” scripts running in a developer context can look routine, especially in fast-moving teams.
Check Point’s warning at RSAC: the IDE is now a prime attack surface
Vanunu framed it as a new era of client-side attacks driven by “agentic” AI tools, assistants that don’t just suggest code, but can modify files, interact with repositories, pull dependencies, and trigger actions on the local system.
His point wasn’t that one brand is uniquely risky. Tools from major players, Anthropic (Claude Code), OpenAI (Codex), and Google (Gemini), share a common direction: deeper integration with plugins and connectors that expand what the assistant can do. The more power you add, plugin marketplaces, MCP servers, shell hooks, the more you expand the attack surface.
This also reinforces a growing argument in application security: scanning after the commit isn’t enough when AI can compress the time between suggestion and deployment to minutes. Some vendors, including Checkmarx, are pushing security controls directly into the IDE, where risky changes are introduced, while acknowledging that concentrating power in the IDE also concentrates risk if governance is weak.
A “swap attack” in Cursor shows how approvals can be gamed
One of the most concrete examples highlighted wasCVE-2025-54136, a high-severity remote code execution (RCE) issue in Cursor, an AI coding platform. The vulnerability centered on how a developer’s approval was handled for a command coming from an MCP server.
Researchers described a “swap attack” scenario: an attacker first submits a harmless command that’s likely to get approved. After the user grants permission, the attacker updates or replaces the plugin with a malicious payload, without forcing the developer to repeat the same level of scrutiny.
The lesson is a classic integrity problem. If approvals are tied to a plugin name or a broad “intent,” rather than a content hash or similarly strong binding to what was actually reviewed, the final executed code can diverge from what the user thought they approved.
That’s especially dangerous on developer machines, which often have elevated privileges and access to sensitive assets, API tokens, signing credentials, build systems, and sometimes cloud keys. Even a good EDR may struggle if the activity rides along inside a trusted toolchain and looks like normal automation.
Claude Code hooks and a trust dialog that can arrive too late
Another high-severity issue discussed wasCVE-2025-59536inClaude Code. Researchers said an attacker could trigger execution of malicious code embedded in a projectbeforethe user accepted the tool’s “startup trust dialog”, the prompt meant to act as a safety gate.
The vector involvedClaude Code Hooks, user-defined shell commands designed to run automatically. In many dev environments, hooks are a convenience feature, formatting, tests, code generation, repetitive tasks. But if a project includes booby-trapped hooks, or if an assistant can be manipulated into activating them, the resulting execution can look like standard developer automation.
Check Point’s broader point about EDR applies here: when execution happens through expected scripts in a developer context, defenders can face overwhelming background noise. Teams often respond by loosening rules to keep developers productive, creating blind spots attackers can exploit.
Prompt injection and supply-chain risk: the blast radius can extend to customers
AI coding assistants don’t operate in a vacuum. They ingest context from README files, issue trackers, comments, snippets pasted from the web, and dependency documentation. That’s whereprompt injectionbecomes practical: text inside a project, or inside a dependency, can steer the assistant to ignore rules, change priorities, or recommend risky actions.
Then there’s the supply-chain problem. Even if the vulnerabilities discussed at RSAC haven’t triggered a headline-grabbing mass compromise, they map cleanly onto how modern software spreads: shared libraries, copied patterns, reused pipelines. A compromise in a widely used tool or workflow can ripple downstream to many organizations.
Adoption is already near-universal, while oversight lags. According to Black Duck,95%of organizations now use AI tools in software development.76%say they review AI-generated code for security risk, but only24%conduct full evaluations that also cover quality, licensing, and intellectual property. That gap isn’t just technical. It’s organizational: companies are industrializing output faster than they’re industrializing guardrails.
What defenders are pushing: real-time controls inside the IDE, not just after the fact
Endpoint security isn’t going away, but vendors argue it has to adapt. Palo Alto Networks has promoted AI-assisted endpoint defenses, next-gen antivirus and EDR enhanced with behavioral analytics, to spot weak signals and suspicious chains of events faster, sometimes automatically.
But the key question is where you’re watching. If the attack starts inside the IDE, waiting for post-commit checks or CI/CD scans can mean the risky change has already spread across branches, builds, and environments. Checkmarx and others are pushing protections “at the moment risk is introduced,” including monitoring plugin activity, analyzing AI suggestions, and intercepting suspicious changes before they harden into production code.
In practice, that can mean integrity checks for plugins, tighter authorization policies for MCP servers, alerts when an assistant attempts to run shell commands, and better correlation between IDE telemetry and endpoint signals. The bigger implication for enterprises is uncomfortable but clear: if AI assistants are allowed to act like operators on developer machines, organizations need to govern them like operators, not like autocomplete.
| 🔎 Élément clé | 📌 Information essentielle |
|---|---|
| Sujet | Les assistants de code IA déplacent la surface d’attaque vers l’IDE et le poste développeur |
| Constat principal | L’endpoint security classique peut être contournée via des mécanismes légitimes de l’environnement de développement |
| Contexte | Des vulnérabilités corrigées ont été présentées à la RSAC 2026 par Check Point |
| Outils concernés | Assistants de code et environnements intégrant plugins, serveurs MCP, hooks shell et automatisations |
| Changement de risque | L’IDE n’est plus un simple éditeur, il devient un orchestrateur capable d’exécuter des actions sensibles |
| Technique d’attaque | L’attaquant vise les configurations, plugins, hooks et invites manipulées plutôt qu’un malware classique |
| Exemple 1 | La CVE-2025-54136 dans Cursor illustre un scénario de RCE via “swap attack” |
| Risque Cursor | Une commande bénigne peut être approuvée puis remplacée par une charge malveillante via mise à jour du plugin |
| Exemple 2 | La CVE-2025-59536 dans Claude Code permettait une exécution avant validation du trust dialog |
| Risque Hooks | Les hooks shell automatiques peuvent servir de vecteur d’exécution locale malveillante |
| Impact sécurité | Les actions malveillantes peuvent ressembler à des workflows normaux, ce qui complique la détection par l’EDR |
| Risque développeur | Le poste de dev concentre souvent secrets, tokens, accès cloud et environnements de build |
| Prompt injection | Du contenu dans un projet, un ticket ou une dépendance peut influencer l’assistant et détourner ses actions |
| Supply chain | Une faiblesse dans un assistant ou un workflow peut se propager à de nombreuses entreprises en aval |
| Donnée marché | L’adoption de l’IA en développement est massive, mais les contrôles complets restent minoritaires |
| Problème organisationnel | La vitesse de production augmente plus vite que les garde-fous de sécurité, qualité, licences et IP |
| Réponse défensive | La protection doit se déplacer dans l’IDE, au moment où le risque est introduit |
| Mesures clés | Contrôles d’intégrité des plugins, politiques sur les serveurs MCP, limitation des hooks et surveillance des commandes shell |
| Approche recommandée | Corréler les signaux entre poste, IDE, dépôt et pipeline au lieu de compter sur un seul filet de sécurité |
| Conclusion | Les assistants de code IA améliorent la productivité, mais transforment l’IDE en point d’entrée critique pour les attaques |
Key Takeaways
- Fixed vulnerabilities in coding assistants have demonstrated realistic scenarios of RCE and unintended execution.
- The IDE becomes a critical attack surface through plugins, MCP servers, and shell hooks.
- Prompt injection and supply-chain attacks can propagate risk to downstream organizations.
- AI adoption in software development is widespread, but comprehensive controls remain a minority (24%).
- Defense is shifting toward real-time controls in the IDE, complementing EDR.
Frequently Asked Questions
Why do AI coding assistants weaken endpoint security?
Because they integrate into the developer workstation and can interact with the system via plugins, MCP servers, or hooks. A malicious action can then use legitimate mechanisms, making it harder for an EDR to distinguish from normal use.
What does CVE-2025-54136 in Cursor show?
It illustrates an RCE scenario via a “swap attack,” where authorization is tied to the plugin name rather than the fingerprint of the approved content. An attacker can get a benign command approved and then replace the plugin with a malicious payload.
What is the main risk around hooks in Claude Code?
Hooks are automatic shell commands. CVE-2025-59536 showed that an attacker could cause the tool to execute code present in a project before the trust dialog is accepted, reducing the effectiveness of the trust barrier.
Why is the supply chain particularly exposed with these tools?
Because assistants influence projects that reuse dependencies and practices, which can impact downstream companies. A weakness in a tool or workflow can spread quickly through shared code, plugins, or automations.
What defensive approaches are being emphasized by industry players?
Strengthening EDR with AI capabilities, and also moving controls closer to where risk is introduced—inside the IDE—through plugin monitoring, integrity checks, execution policies, and real-time detection of abnormal behavior.
Sources
- How AI Coding Tools Crushed the Endpoint Security Fortress
- AI coding tools exploded in 2025. The first security exploits … – Fortune
- What is the Role of AI in Endpoint Security? – Palo Alto Networks
- Generative AI in Cybersecurity: Why the IDE Is Now a …
- AI Coding Security Gap: 76% Expose Software Supply Chain to Risk



