A developer opens Cursor, asks it to "fix the failing test," and the agent quietly reads a hidden instruction buried in a dependency's README, then exfiltrates a .env file to a webhook it was just told to call. No malware executable, no exploit chain, no CVE — just text that a large language model treated as a command. This is prompt injection, and in 2025 it stopped being a theoretical AI-safety concern and became a practical software supply chain problem. Researchers disclosed a 9.6-severity vulnerability in GitHub Copilot Chat, a technique for smuggling invisible instructions into .cursorrules files, and a wave of npm packages carrying payloads written for AI agents rather than humans. Socket.dev has documented several of these campaigns from a package-registry lens. Below, we break down what happened, why "prompt injection malware" targeting AI tools is now a distinct threat category, and how Safeguard closes the gap that scanning code alone leaves open.
What Is Prompt Injection, and Why Does It Matter for AI Coding Tools?
Prompt injection is an attack where untrusted content — a file, a comment, a commit message, a package README — contains instructions that an AI model follows as if they came from the user. It matters for coding tools specifically because agents like GitHub Copilot, Cursor, Windsurf, and Claude Code are granted exactly the permissions an attacker wants: read access to source code and secrets, write access to the filesystem, and often the ability to run shell commands or make network calls. Security researcher Simon Willison named this combination the "lethal trifecta" in June 2025: an agent that (1) reads untrusted data, (2) has access to private information, and (3) can communicate externally. Any two AI coding assistants wired into a repo, a ticket tracker, and the internet satisfy all three conditions by default, which is why a single poisoned file can turn a helpful agent into an unwitting exfiltration channel.
How Did the "Rules File Backdoor" Attack Hijack Cursor and GitHub Copilot?
It worked by hiding attacker instructions inside configuration files using invisible Unicode characters that render as blank space to a human reviewer but are parsed as text by the model. Pillar Security disclosed the technique in March 2025, showing that .cursor/rules files and .github/copilot-instructions.md — files teams routinely commit to shared repos to "teach" the AI their coding conventions — could carry zero-width joiners and bidirectional control characters that silently instructed the assistant to insert backdoors, disable input validation, or exfiltrate environment variables in every subsequent code suggestion. Because the payload was invisible in diffs and code review UIs, a malicious pull request adding a "helpful" rules file could pass human review while poisoning every AI-generated commit that followed it, in every repository that inherited the file.
What Happened in the CamoLeak GitHub Copilot Chat Vulnerability?
CamoLeak let an attacker steal private repository contents and secrets just by opening a public issue containing hidden text, no clicks required from the victim. Disclosed in August 2025 by researcher Omer Mayraz and rated CVSS 9.6, the flaw combined prompt injection with GitHub's own Camo image-proxy feature: instructions hidden in an issue or pull request comment (via white-on-white text or HTML comments) told Copilot Chat to encode private code and even leaked API keys into a sequence of image URLs, which Camo would then fetch on the attacker's behalf, reconstructing the stolen data on the attacker's server one "invisible pixel" at a time. It affected any public repo with Copilot Chat enabled and required zero interaction beyond the AI reading an attacker-controlled comment — a textbook demonstration that the trust boundary in AI-assisted development isn't the network perimeter, it's every piece of text the model is allowed to read.
Can Malicious npm or PyPI Packages Weaponize Prompt Injection Against AI Agents?
Yes — registries have already seen packages whose payload is aimed at the AI reviewing the code, not the runtime executing it. Beyond traditional typosquats and postinstall scripts, threat researchers (including Socket.dev's threat research team) have catalogued packages that embed natural-language instructions in README files, docstrings, or package descriptions specifically to manipulate AI coding assistants and AI-powered code review tools into approving, summarizing, or even propagating malicious code as "safe." A related and fast-growing vector is the Model Context Protocol (MCP): Invariant Labs published research in April 2025 on "tool poisoning," where a malicious or compromised MCP server describes its tools with hidden instructions that get injected into an agent's context the moment the tool list is loaded — before the agent ever calls the tool. In September 2025, a popular MCP integration package was found to have been silently updated to BCC every outgoing email to an attacker-controlled address, illustrating how a single trusted dependency update can turn an AI tool's own connective tissue into an exfiltration path.
Why Can't Traditional SCA and SAST Tools Catch This?
Because they're built to find known-bad code patterns and vulnerable versions, not natural-language instructions designed to manipulate a model's reasoning. A static analyzer scanning for eval() calls or a software composition analysis tool checking package hashes against a CVE database has no concept of "this README contains a jailbreak payload" or "this rules file has zero-width characters targeting an LLM." Socket.dev and similar registry-focused scanners have made real progress flagging suspicious install scripts and metadata anomalies, which catches some of this — but prompt injection payloads are deliberately engineered to look like ordinary documentation, comments, or config, and they often only become "malicious" in the context of a specific AI agent's permissions and tool access. That's a semantic problem, not a signature-matching problem, and it requires understanding what an AI agent can do with the content it's reading — not just what the content contains.
How Safeguard Helps
Safeguard treats AI coding and security tools as first-class parts of the software supply chain, not as a blind spot outside it. That means scanning for prompt injection indicators everywhere they hide — invisible Unicode, encoded instructions, and imperative language patterns embedded in READMEs, .cursorrules, copilot-instructions.md, MCP server manifests, and package metadata — rather than limiting analysis to executable code and known CVEs. Safeguard maps the actual permission surface of each AI agent in your pipeline (repo access, shell execution, network egress, secrets exposure) so a flagged instruction is scored by what it could actually do in your environment, closing the "lethal trifecta" gap instead of treating every match as equally urgent. For dependencies and MCP integrations, Safeguard continuously re-verifies packages after installation, since attacks like the September 2025 MCP backdoor update ship malicious behavior after a package has already passed initial review. And because prompt injection defenses are only as good as their coverage of new techniques, Safeguard's research team tracks disclosures like CamoLeak and Rules File Backdoor as they happen, shipping updated detection rules rather than leaving teams to discover the next variant in production. The result is a supply chain security posture that accounts for the newest, fastest-moving class of dependency risk: the one written for your AI, not for you.