TH16802
Detected presence of AI assistant extensions that execute unusual system commands.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | fail | high | high | 1 | tampering: fail Reason: dangerous AI extensions |
About the issueโ
AI assistant extensions are commonly used by software developers to extend the functionality of AI coding assistants, agentic development tools, and other AI-powered developer tools. Extensions are typically distributed through public marketplaces as packages that bundle skill instruction files with supporting resources. Skill instruction files describe specialized capabilities that the AI assistant can invoke, such as guidance for handling specific file formats, performing domain-specific tasks, or interacting with particular services. The AI assistant loads instructions from these files into its context and follows them when relevant user requests or workflow events occur. These instructions are written by extension authors to guide the AI assistant toward the intended capability, or to provide additional context for nominal extension use. However, AI assistant extensions are commonly abused by threat actors to influence the AI assistant into performing arbitrary actions within the development environment. It was detected that the skill instruction files could direct the AI assistant to execute unusual operating system commands. Unusual commands resemble common threat actor tactics, such as destructive file deletion, elevation of privileges, or tampering with security settings. Unusual skill instruction files often contain indirect phrasing, misleading context, or other prompt injection techniques.
How to resolve the issueโ
- Investigate reported detections.
- Consult Mitre ATT&CK documentation: T1176 - Software Extensions.
- If the AI assistant extension intent does not relate to the reported behavior, investigate your development environment for software supply chain compromise.
- You should stop using the AI assistant extension until the investigation is completed, or until the issue is risk accepted.
- Consider replacing the AI assistant extension with an alternative.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- Linux: 562K
- NPM: 5.12M
- Nuget: 735K
- PS Gallery: 17K
- PyPi: 838K
- RubyGems: 203K
- VS Code: 113K
- Windows: 3.7K
Recommended readingโ
- Software Extensions (External resource)