Attacks Exploiting AI Browser and IDE Integrations via Malicious Servers and Sidebar Spoofing
Security researchers have demonstrated new attack methods targeting AI-powered browsers and integrated development environments (IDEs) by exploiting their integration with external servers and AI sidebars. In one case, a proof-of-concept attack showed that a rogue Model Context Protocol (MCP) server could inject malicious JavaScript into Cursor’s built-in browser, allowing attackers to replace login pages, harvest credentials, and potentially compromise the victim’s workstation by leveraging the IDE’s privileges. The attack leverages the client-server architecture of MCP, which is increasingly used in AI agent workflows, and highlights the risks of using unvetted or custom MCP servers in developer environments.
Separately, researchers have revealed an "AI sidebar spoofing" technique that targets AI browsers such as Comet by Perplexity and Atlas by OpenAI. This attack exploits users’ trust in AI-generated instructions by manipulating the AI sidebar interface, potentially leading to credential theft or other malicious outcomes. Both attack vectors underscore the expanding attack surface introduced by AI integrations in browsers and development tools, and the need for heightened scrutiny of third-party server integrations and user interface trust boundaries in AI-powered applications.
Timeline
Nov 13, 2025
Knostic.ai demonstrates rogue MCP server attack on Cursor browser
Security researchers from Knostic.ai demonstrated a proof-of-concept attack showing that a malicious Model Context Protocol server can inject JavaScript into Cursor's built-in browser. The attack can replace login pages, steal credentials and cookies, and potentially lead to full workstation compromise because the MCP server inherits the IDE's privileges.
Nov 13, 2025
Researchers demonstrate AI sidebar spoofing against AI browsers
Researchers described a new attack technique called AI sidebar spoofing in which a malicious browser extension injects a fake AI assistant sidebar into AI-powered browsers such as Perplexity Comet and OpenAI Atlas. The method could be used to deliver phishing prompts, malicious links, or device-compromise instructions by abusing user trust in browser-integrated AI.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Novel Vulnerabilities and Attack Vectors in AI-Powered IDEs and Coding Assistants
A new class of vulnerabilities, termed "IDEsaster," has been discovered affecting a wide range of AI-powered Integrated Development Environments (IDEs) and coding assistants. Research revealed that over 30 security vulnerabilities, including 24 assigned CVEs, impact more than 10 leading products such as GitHub Copilot, Claude Code, and others, potentially exposing millions of users. The vulnerabilities stem from the integration of AI agents into IDEs, which were not originally designed with such capabilities in mind, leading to attack chains that can result in data exfiltration and remote code execution. Major vendors have issued advisories and updated documentation in response to these findings. Further research highlights the risks associated with the Model Context Protocol (MCP) sampling feature, commonly used in coding copilot applications. Without adequate safeguards, malicious MCP servers can exploit this feature to perform resource theft, hijack conversations, exfiltrate sensitive data, and covertly invoke tools. Proof-of-concept attacks demonstrate that the implicit trust model and lack of robust security controls in MCP can be leveraged for persistent and covert attacks, underscoring the urgent need for improved security measures in AI-driven development environments.
1 months ago
CometJacking Prompt Injection Vulnerability in Perplexity's Comet AI Browser
Security researchers at LayerX have identified a critical security weakness in the Comet AI browser developed by Perplexity, which is susceptible to a novel prompt injection attack dubbed 'CometJacking.' The vulnerability allows attackers to craft malicious URLs that, when processed by the Comet browser, inject hidden instructions capable of accessing sensitive data from connected services such as email and calendar applications. The attack does not require user credentials or direct interaction, making it particularly dangerous and easy to exploit. By embedding malicious prompts in web pages, comment sections, or even code accessed by the browser, cybercriminals can instruct Comet to exfiltrate data residing in memory or accessible through its integrations. For example, if a user asks Comet to rewrite an email or schedule a meeting, the browser could be manipulated to extract and transmit the content and metadata of those communications to an external server controlled by the attacker. LayerX demonstrated a proof of concept where the browser was instructed to encode sensitive data in base64 and send it to a remote endpoint, successfully bypassing Perplexity's existing safeguards. The browser's agentic AI capabilities, which allow it to autonomously perform tasks like managing emails, shopping, and booking tickets, increase the potential impact of this vulnerability. Despite being notified of the issue in late August, Perplexity responded that the reported weakness was 'not applicable' and considered it beyond their control to remediate. Security experts warn that the rapid adoption of the Comet browser, combined with its integration with various personal and enterprise services, amplifies the risk of widespread data exfiltration if the vulnerability is exploited in the wild. The attack leverages the 'collection' parameter in the URL query string to deliver the malicious prompt, instructing the AI agent to consult its memory and connected services rather than simply searching the web. This method allows attackers to bypass direct data transmission restrictions implemented by Perplexity, as the AI agent itself is manipulated to perform the exfiltration. The vulnerability highlights the broader risks associated with agentic AI browsers that have deep integrations with user data and services. Security researchers emphasize the need for more robust safeguards and prompt injection defenses in AI-powered browsers to prevent similar attacks. The incident also raises questions about vendor responsibility and the challenges of securing AI-driven automation tools. Organizations using the Comet browser are advised to review their security posture and consider the risks of integrating sensitive services with agentic AI tools. The case underscores the importance of continuous security assessment and responsible disclosure in the rapidly evolving landscape of AI-powered applications. As the CometJacking technique requires only a crafted URL, it could be weaponized in phishing campaigns or embedded in seemingly innocuous web content, increasing the attack surface for potential victims. The ongoing debate between researchers and the vendor over the severity and remediability of the issue further complicates the response and mitigation efforts.
1 months ago
Malicious Browser Extensions Spoofing AI Sidebars for Credential Theft
SquareX researchers have uncovered a new attack method in which malicious browser extensions impersonate trusted AI sidebar interfaces in popular browsers. These extensions create pixel-perfect replicas of legitimate AI sidebars, such as those found in browsers like Comet, Brave, and Edge, to deceive users into following harmful AI-generated instructions. The spoofed sidebars are used to trick users into executing commands that can result in credential theft, device hijacking, and password exfiltration. The attack exploits the high level of trust users place in AI browser interfaces, making it difficult for even security-conscious individuals to distinguish between genuine and malicious sidebars. In one documented case, a user seeking to withdraw cryptocurrency was directed by the fake sidebar to a phishing site instead of the legitimate Binance login page, leading to the compromise of their credentials. SquareX warns that this attack vector is likely to evolve, with more variants expected as attackers continue to exploit the widespread adoption of AI-powered browser features.
1 months ago