“Sadly, due to the pure language nature of immediate injections, blocking them utilizing classifiers or any sort of blacklisting isn’t sufficient,” they mentioned in their report. “There are simply too some ways to write down them, hiding them behind benign subjects, utilizing completely different phrasings, tones, languages, and so on. Identical to we don’t contemplate malware fastened as a result of one other pattern made it right into a deny record, the identical is true for immediate injection.”
Hijacking Cursor coding assistant by way of Jira tickets
As a part of the identical analysis effort, Zenity additionally investigated Cursor, one of the widespread AI-assisted code editors and IDEs. Cursor can combine with many third-party instruments, together with Jira, one of the widespread undertaking administration platforms used for problem monitoring.
“You’ll be able to ask Cursor to look into your assigned tickets, summarize open points, and even shut tickets or reply routinely, all from inside your editor. Sounds nice, proper?” the researchers mentioned. “However tickets aren’t at all times created by builders. In lots of firms, tickets from exterior methods like Zendesk are routinely synced into Jira. Which means that an exterior actor can ship an electronic mail to a Zendesk-connected help handle and inject untrusted enter into the agent’s workflow.”
