Supply ChainHigh

Rules File Backdoor: hidden Unicode in AI coding-assistant config

March 2025  ·  Cursor / GitHub Copilot

What happened

Pillar Security showed that invisible Unicode instructions embedded in shared AI coding-assistant config files, such as Cursor's .cursor/rules and Copilot's instruction files, are invisible to humans but parsed by the agent, silently steering it to inject backdoored code. The poisoned config spreads through forks and templates.

Root cause

AI assistants treat project rules files as trusted guidance and parse hidden Unicode that human reviewers cannot see, so a shared config becomes a durable, propagating injection vector.

Fix / outcome

Disclosed to Cursor and GitHub, which largely treated it as a user-responsibility issue; GitHub added a hidden-Unicode warning. Review rules files for invisible characters and treat shared agent config as code.

Sources

Pillar Security (discoverer)

Learn this attack class

This incident is an example of Supply Chain. Read the guide, then try it hands-on in the Academy.

Read the guide →

← Back to the Incident Database