“Unfortunately, because of the natural language nature of prompt injections, blocking them using classifiers or any kind of blacklisting isn’t enough,” they said in their report. “There are just too many ways to write them, hiding them behind benign topics, using different phrasings, tones, languages, etc. Just like we don’t consider malware fixed because another sample made it into a deny list, the same is true for prompt injection.”
Hijacking Cursor coding assistant via Jira tickets
As part of the same research effort, Zenity also investigated Cursor, one of the most popular AI-assisted code editors and IDEs. Cursor can integrate with many third-party tools, including Jira, one of the most popular project management platforms used for issue tracking.
“You can ask Cursor to look into your assigned tickets, summarize open issues, and even close tickets or respond automatically, all from within your editor. Sounds great, right?” the researchers said. “But tickets aren’t always created by developers. In many companies, tickets from external systems like Zendesk are automatically synced into Jira. This means that an external actor can send an email to a Zendesk-connected support address and inject untrusted input into the agent’s workflow.”
