scan.json (21517B)
1 { 2 "paper": { 3 "title": "Cuckoo Attack: Stealthy and Persistent Attacks Against AI-IDE", 4 "authors": ["Xinpeng Liu", "Junming Liu", "Peiyu Liu", "Han Zheng", "Qinying Wang", "Mathias Payer", "Shouling Ji", "Wenhai Wang"], 5 "year": 2025, 6 "arxiv_id": "2509.15572" 7 }, 8 "checklist": { 9 "artifacts": { 10 "code_released": { 11 "applies": true, 12 "answer": true, 13 "justification": "PoC artifacts are uploaded to Zenodo (https://zenodo.org/records/16757439) and the user study form is publicly available. Section V and Ethics section confirm open-sourced PoC artifacts." 14 }, 15 "data_released": { 16 "applies": true, 17 "answer": false, 18 "justification": "The user study raw data is not released. The authors state they 'deleted all the metadata generated in the analysis process' (Ethics section). No dataset of configuration files or analysis scripts is provided." 19 }, 20 "environment_specified": { 21 "applies": true, 22 "answer": false, 23 "justification": "The PoC environment is described at a high level (MacBook Air, Kali Linux, Cobalt Strike) but no requirements.txt, Dockerfile, or detailed dependency specifications are provided." 24 }, 25 "reproduction_instructions": { 26 "applies": true, 27 "answer": false, 28 "justification": "While PoC videos are uploaded to Zenodo and the attack flow is described, there are no step-by-step reproduction instructions with specific commands to replicate the experiments." 29 } 30 }, 31 "statistical_methodology": { 32 "confidence_intervals_or_error_bars": { 33 "applies": true, 34 "answer": false, 35 "justification": "The user study reports percentages (e.g., 80%, 74%, 73%) but no confidence intervals or error bars are provided for these estimates from 112-124 participants." 36 }, 37 "significance_tests": { 38 "applies": false, 39 "answer": false, 40 "justification": "The paper does not make comparative statistical claims between groups. The user study is descriptive, and the security evaluation is pass/fail per IDE." 41 }, 42 "effect_sizes_reported": { 43 "applies": false, 44 "answer": false, 45 "justification": "No comparative claims requiring effect sizes are made. Results are binary (vulnerable/not vulnerable) or descriptive percentages." 46 }, 47 "sample_size_justified": { 48 "applies": true, 49 "answer": false, 50 "justification": "The user study has 112-124 participants (discrepancy: 124 in Section IV-A, 112 in Appendix A) with no justification for sample size or power analysis." 51 }, 52 "variance_reported": { 53 "applies": false, 54 "answer": false, 55 "justification": "The experiments are deterministic security evaluations (exploit works or doesn't), not repeated stochastic trials requiring variance reporting." 56 } 57 }, 58 "evaluation_design": { 59 "baselines_included": { 60 "applies": true, 61 "answer": true, 62 "justification": "The paper compares against prior attack paradigms (e.g., direct MCP credential exfiltration from Invariant Lab, direct command execution attacks) and explains how Cuckoo Attack differs in stealth and persistence." 63 }, 64 "baselines_contemporary": { 65 "applies": true, 66 "answer": true, 67 "justification": "Baseline attacks referenced are recent (2024-2025), including Invariant Lab MCP exploits, AgentPoison, and CVE-2025-54135." 68 }, 69 "ablation_study": { 70 "applies": true, 71 "answer": false, 72 "justification": "No ablation study is conducted. The paper does not systematically test which attack components (e.g., obfuscation, exec chaining) contribute most to success." 73 }, 74 "multiple_metrics": { 75 "applies": true, 76 "answer": true, 77 "justification": "Evaluation covers multiple dimensions: exploit file editing success, exploit command execution success, display of startup command, achievement of CI, and manual approval count (Table III)." 78 }, 79 "human_evaluation": { 80 "applies": true, 81 "answer": true, 82 "justification": "A user study (112-124 participants) evaluates developer willingness to delegate configuration tasks to agents, which is relevant to the attack's real-world feasibility claims." 83 }, 84 "held_out_test_set": { 85 "applies": false, 86 "answer": false, 87 "justification": "This is a security research paper demonstrating vulnerabilities, not a benchmark evaluation requiring train/test splits." 88 }, 89 "per_category_breakdown": { 90 "applies": true, 91 "answer": true, 92 "justification": "Table II provides per-IDE breakdown of seven security checkpoints, and Table III provides per-IDE exploit results across multiple dimensions." 93 }, 94 "failure_cases_discussed": { 95 "applies": true, 96 "answer": true, 97 "justification": "Cursor is identified as the one IDE that resists the MCP configuration attack (filters && in mcp.json). The paper discusses why it fails and notes Cursor remains vulnerable to broader attack paradigm." 98 }, 99 "negative_results_reported": { 100 "applies": true, 101 "answer": true, 102 "justification": "The paper reports that Cursor blocks the specific MCP attack vector, and that Cline with GPT-4.1 is not opaque in information retrieval. Some IDEs resist file editing exploits (Table III)." 103 } 104 }, 105 "claims_and_evidence": { 106 "abstract_claims_supported": { 107 "applies": true, 108 "answer": true, 109 "justification": "Abstract claims about stealthy/persistent attacks, nine AI-IDE pairs tested, and PoC validation are supported by Section V results (Table III shows 8/9 achieve CI)." 110 }, 111 "causal_claims_justified": { 112 "applies": true, 113 "answer": true, 114 "justification": "Causal claims are about exploit mechanisms (e.g., 'embedding payloads into configuration files achieves persistence'). These are demonstrated through direct PoC execution, which constitutes adequate causal evidence for security research." 115 }, 116 "generalization_bounded": { 117 "applies": true, 118 "answer": true, 119 "justification": "The paper bounds claims to the nine specific AI-IDE/Agent pairs tested and notes that Cursor's defense is narrow. Supply chain impact estimates are clearly labeled as potential rather than demonstrated." 120 }, 121 "alternative_explanations_discussed": { 122 "applies": true, 123 "answer": false, 124 "justification": "No discussion of alternative explanations. For example, the user study willingness scores may not translate to actual behavior; the paper does not consider that users might notice payload in code review or version control diffs." 125 } 126 }, 127 "setup_transparency": { 128 "model_versions_specified": { 129 "applies": true, 130 "answer": false, 131 "justification": "Table II lists models as 'GPT-4.1', 'Claude-4', 'doubao-seed-1.6', 'Qwen3' without specific API versions or snapshot dates. 'Claude-4' and 'GPT-4.1' lack version specificity." 132 }, 133 "prompts_provided": { 134 "applies": true, 135 "answer": false, 136 "justification": "The malicious README.md content and mcp.json payload examples are shown (Listing 1), but the exact prompts used to instruct the Agent (e.g., the user's natural language request) are not fully provided." 137 }, 138 "hyperparameters_reported": { 139 "applies": true, 140 "answer": false, 141 "justification": "No LLM hyperparameters (temperature, top-p, etc.) are reported for any of the tested Agent/IDE pairs." 142 }, 143 "scaffolding_described": { 144 "applies": false, 145 "answer": false, 146 "justification": "The paper evaluates third-party AI-IDEs (Cursor, Cline, Copilot, etc.) as black boxes. The authors cannot describe internal scaffolding they have no access to." 147 }, 148 "data_preprocessing_documented": { 149 "applies": true, 150 "answer": false, 151 "justification": "The user study questionnaire design and analysis pipeline are not fully documented. The configuration file identification process used XAI Grok deep search but the filtering criteria and verification process are only briefly described." 152 } 153 }, 154 "limitations_and_scope": { 155 "limitations_section_present": { 156 "applies": true, 157 "answer": false, 158 "justification": "There is no dedicated limitations or threats-to-validity section. The Discussion section (IX) covers related findings and community awareness but does not discuss study limitations." 159 }, 160 "threats_to_validity_specific": { 161 "applies": true, 162 "answer": false, 163 "justification": "No threats to validity are discussed. The paper does not address limitations such as user study sample bias, the controlled lab setting vs real-world conditions, or the evolving nature of IDE security." 164 }, 165 "scope_boundaries_stated": { 166 "applies": true, 167 "answer": false, 168 "justification": "The paper does not explicitly state what it does NOT show. For example, it does not acknowledge that the user study measures willingness rather than actual behavior, or that PoC in controlled settings may not reflect real-world exploit success rates." 169 } 170 }, 171 "data_integrity": { 172 "raw_data_available": { 173 "applies": true, 174 "answer": false, 175 "justification": "User study raw data is explicitly deleted per the Ethics section. PoC videos are on Zenodo but raw experimental logs are not available." 176 }, 177 "data_collection_described": { 178 "applies": true, 179 "answer": true, 180 "justification": "User study: participants recruited from developer community and academic forums, 112 participants, online questionnaire, willingness scale 0-10. PoC: isolated network, MacBook Air victim, Kali Linux attacker (Section V-A)." 181 }, 182 "recruitment_methods_described": { 183 "applies": true, 184 "answer": true, 185 "justification": "Appendix A states participants were 'recruited from both industrial and academic backgrounds through internal professional networks and public forums' with demographic breakdown by role (Figure 6)." 186 }, 187 "data_pipeline_documented": { 188 "applies": true, 189 "answer": false, 190 "justification": "The user study analysis pipeline from raw responses to reported percentages is not documented. The paper jumps from '124 AI-IDE users' (or 112 in Appendix) to summary statistics without showing intermediate steps." 191 } 192 }, 193 "conflicts_of_interest": { 194 "funding_disclosed": { 195 "applies": true, 196 "answer": false, 197 "justification": "No funding or acknowledgments section is present in the paper." 198 }, 199 "affiliations_disclosed": { 200 "applies": true, 201 "answer": true, 202 "justification": "Author affiliations (Zhejiang University, EPFL) are clearly listed. None of the authors appear affiliated with the evaluated AI-IDE vendors." 203 }, 204 "funder_independent_of_outcome": { 205 "applies": true, 206 "answer": false, 207 "justification": "No funding information is disclosed, so independence cannot be assessed." 208 }, 209 "financial_interests_declared": { 210 "applies": true, 211 "answer": false, 212 "justification": "No competing interests or financial interests statement is present in the paper." 213 } 214 }, 215 "contamination": { 216 "training_cutoff_stated": { 217 "applies": false, 218 "answer": false, 219 "justification": "This paper tests security vulnerabilities in AI-IDEs, not model capability on benchmarks. Training cutoff is irrelevant to the attack evaluation." 220 }, 221 "train_test_overlap_discussed": { 222 "applies": false, 223 "answer": false, 224 "justification": "Not a benchmark evaluation of model knowledge. The paper tests whether agents can be manipulated via prompt injection, not model recall." 225 }, 226 "benchmark_contamination_addressed": { 227 "applies": false, 228 "answer": false, 229 "justification": "No benchmark evaluation is conducted. This is a security vulnerability demonstration." 230 } 231 }, 232 "human_studies": { 233 "pre_registered": { 234 "applies": true, 235 "answer": false, 236 "justification": "No pre-registration is mentioned for the user study." 237 }, 238 "irb_or_ethics_approval": { 239 "applies": true, 240 "answer": false, 241 "justification": "The Ethics section explicitly states 'this institution does not have an IRB' but claims to follow the Menlo Report principles. No formal ethics approval is mentioned." 242 }, 243 "demographics_reported": { 244 "applies": true, 245 "answer": true, 246 "justification": "Appendix A provides participant breakdown by professional role (software engineers, architects, researchers, students) with Figure 6, and states over 55% had 4+ years programming experience." 247 }, 248 "inclusion_exclusion_criteria": { 249 "applies": true, 250 "answer": false, 251 "justification": "No explicit inclusion or exclusion criteria are stated for the user study. Participants are described as 'AI-IDE users' recruited from 'developer community and academic forums' without selection criteria." 252 }, 253 "randomization_described": { 254 "applies": false, 255 "answer": false, 256 "justification": "This is a cross-sectional survey, not an experimental study with treatment/control conditions. Randomization does not apply." 257 }, 258 "blinding_described": { 259 "applies": false, 260 "answer": false, 261 "justification": "This is a survey study, not an experimental study. Blinding does not apply." 262 }, 263 "attrition_reported": { 264 "applies": true, 265 "answer": false, 266 "justification": "Inconsistent participant counts (124 in Section IV-A vs 112 in Appendix A) with no explanation for the discrepancy, suggesting possible attrition or filtering that is not documented." 267 } 268 }, 269 "cost_and_practicality": { 270 "inference_cost_reported": { 271 "applies": false, 272 "answer": false, 273 "justification": "This is a security research paper demonstrating vulnerabilities, not proposing a method with inference costs." 274 }, 275 "compute_budget_stated": { 276 "applies": false, 277 "answer": false, 278 "justification": "The experiments involve manual PoC demonstrations on consumer hardware, not compute-intensive workloads." 279 } 280 } 281 }, 282 "claims": [ 283 { 284 "claim": "All nine mainstream AI-IDE/Agent pairs tested are vulnerable to the Cuckoo Attack paradigm, with 8 of 9 achieving arbitrary command injection via MCP configuration files.", 285 "evidence": "Table III shows exploit results: all 9 pairs support command execution exploit, and 8/9 achieve CI (Cursor is the exception). Section V-C details per-IDE results.", 286 "supported": "strong" 287 }, 288 { 289 "claim": "Over 55% of surveyed developers delegate configuration-related tasks to AI agents, with 80% willing to configure environments from README.md files.", 290 "evidence": "User study of 112-124 participants (Section IV-A and Appendix A) reports willingness scores. 80% for README-based configuration, 74% for build configs, 73% for IDE settings.", 291 "supported": "moderate" 292 }, 293 { 294 "claim": "The attack achieves stealth by decoupling the malicious action from the Agent's visible operations, and persistence through configuration file embedding.", 295 "evidence": "Section III-B formalizes the two-stage paradigm. PoC in Section V-B demonstrates the attack chain. Table III 'Display Startup Cmd' row shows most IDEs hide the execution.", 296 "supported": "strong" 297 }, 298 { 299 "claim": "The attack can propagate through the open-source ecosystem as a supply chain attack via shared configuration files.", 300 "evidence": "Section IV-D describes the propagation mechanism. Impact estimates in Table I (e.g., 5.7M GitHub Actions repositories) are based on repository counts, not demonstrated propagation.", 301 "supported": "weak" 302 } 303 ], 304 "methodology_tags": ["case-study", "qualitative"], 305 "key_findings": "The paper introduces Cuckoo Attack, a two-stage attack paradigm against AI-IDEs that achieves stealth and persistence by embedding malicious payloads into configuration files (e.g., mcp.json, Makefile). Testing across nine mainstream AI-IDE/Agent pairs (including Cursor, Cline, Copilot, Windsurf, Trae, Zed, Augment, Lingma), the PoC demonstrates arbitrary command injection in 8 of 9 platforms. A user study of 112-124 developers confirms that configuration tasks are routinely delegated to AI agents, validating the attack surface. The paper identifies seven actionable security checkpoints for vendors and has responsibly disclosed vulnerabilities, with Microsoft and ByteDance confirming the findings.", 306 "red_flags": [ 307 { 308 "flag": "No limitations section", 309 "detail": "The paper lacks any limitations or threats-to-validity section. For a security paper making broad claims about real-world impact, the absence of discussion about controlled lab settings vs real deployments, user study generalizability, or evolving vendor defenses is a significant omission." 310 }, 311 { 312 "flag": "Inconsistent participant counts", 313 "detail": "Section IV-A reports 124 participants while Appendix A reports 112, with no explanation for the discrepancy. This raises questions about data handling." 314 }, 315 { 316 "flag": "Supply chain impact claims exceed evidence", 317 "detail": "Claims about potential supply chain propagation affecting millions of repositories (Table I) are based on repository counts containing configuration files, not demonstrated propagation. The 'worm-like effect' is hypothetical." 318 }, 319 { 320 "flag": "User study measures willingness, not behavior", 321 "detail": "The user study measures self-reported willingness to delegate tasks on a 0-10 scale, which may not reflect actual behavior. This distinction is not acknowledged in the paper." 322 } 323 ], 324 "cited_papers": [ 325 { 326 "title": "MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits", 327 "authors": ["B. Radosevich", "J. Halloran"], 328 "year": 2025, 329 "arxiv_id": "2504.03767", 330 "relevance": "Directly relevant security audit of MCP protocol vulnerabilities in LLM agents." 331 }, 332 { 333 "title": "Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions", 334 "authors": ["X. Hou", "Y. Zhao", "S. Wang", "H. Wang"], 335 "year": 2025, 336 "relevance": "First systematic analysis of MCP attack surface including Name Collision and Code Injection threats." 337 }, 338 { 339 "title": "RedCode: Risky Code Execution and Generation Benchmark for Code Agents", 340 "authors": ["C. Guo", "X. Liu", "C. Xie", "A. Zhou", "Y. Zeng", "Z. Lin", "D. Song", "B. Li"], 341 "year": 2024, 342 "relevance": "Benchmark for evaluating safety of code agents, relevant to AI-IDE security evaluation." 343 }, 344 { 345 "title": "Prompt Injection Attack Against LLM-Integrated Applications", 346 "authors": ["Y. Liu", "G. Deng", "Y. Li"], 347 "year": 2024, 348 "arxiv_id": "2306.05499", 349 "relevance": "Foundational work on prompt injection attacks against LLM-integrated applications." 350 }, 351 { 352 "title": "Les Dissonances: Cross-Tool Harvesting and Polluting in Multi-Tool Empowered LLM Agents", 353 "authors": ["Z. Li", "J. Cui", "X. Liao", "L. Xing"], 354 "year": 2025, 355 "arxiv_id": "2504.03111", 356 "relevance": "Demonstrates cross-tool data exfiltration attacks in multi-tool LLM agents." 357 }, 358 { 359 "title": "Demystifying RCE Vulnerabilities in LLM-Integrated Apps", 360 "authors": ["T. Liu", "Z. Deng", "G. Meng", "Y. Li", "K. Chen"], 361 "year": 2024, 362 "relevance": "Systematic detection of remote code execution vulnerabilities in LLM frameworks, published at ACM CCS." 363 }, 364 { 365 "title": "AgentPoison: Red-Teaming LLM Agents via Poisoning Memory or Knowledge Bases", 366 "authors": ["Z. Chen", "Z. Xiang", "C. Xiao", "D. Song", "B. Li"], 367 "year": 2024, 368 "relevance": "Red-teaming attacks against LLM agents through knowledge base poisoning, published at NeurIPS." 369 }, 370 { 371 "title": "Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol Ecosystem", 372 "authors": ["H. Song", "Y. Shen", "W. Luo"], 373 "year": 2025, 374 "relevance": "Validates MCP attack vectors with real-world malicious MCP servers." 375 }, 376 { 377 "title": "Spaiware: Uncovering a Novel Artificial Intelligence Attack Vector Through Persistent Memory in LLM Applications and Agents", 378 "authors": ["M. Herrador", "J. Rehberger"], 379 "year": 2025, 380 "relevance": "Demonstrates persistent attacks through LLM application memory, related to persistence in AI agent attacks." 381 }, 382 { 383 "title": "Research Directions in Software Supply Chain Security", 384 "authors": ["L. Williams", "G. Benedetti", "S. Hamer"], 385 "year": 2025, 386 "relevance": "Survey of software supply chain security threats relevant to the supply chain propagation aspect of Cuckoo Attack." 387 } 388 ] 389 }