This paper identifies a novel stealthy and persistent security threat in AI-powered IDEs, wherein attackers embed malicious payloads in user configuration files to achieve silent command execution and long-term persistence via LLM agents’ automatic configuration loading and contextual interactions with external protocol servers (e.g., MCP). Method: We characterize a two-stage attack paradigm that simultaneously achieves concealment and persistence—breaking out of local sandbox boundaries and enabling supply-chain contamination. Empirical validation was conducted across nine mainstream AI-IDE/agent combinations. Contribution/Results: We systematically expose configuration files as a critical attack vector, propose seven actionable security assessment checkpoints, and deliver evidence-based defensive guidelines for vendors. Our findings demonstrate that seemingly benign configuration mechanisms can be weaponized to bypass traditional isolation controls, thereby introducing novel risks to AI-native development environments.

Modern AI-powered Integrated Development Environments (AI-IDEs) are increasingly defined by an Agent-centric architecture, where an LLM-powered Agent is deeply integrated to autonomously execute complex tasks. This tight integration, however, also introduces a new and critical attack surface. Attackers can exploit these components by injecting malicious instructions into untrusted external sources, effectively hijacking the Agent to perform harmful operations beyond the user's intention or awareness. This emerging threat has quickly attracted research attention, leading to various proposed attack vectors, such as hijacking Model Context Protocol (MCP) Servers to access private data. However, most existing approaches lack stealth and persistence, limiting their practical impact. We propose the Cuckoo Attack, a novel attack that achieves stealthy and persistent command execution by embedding malicious payloads into configuration files. These files, commonly used in AI-IDEs, execute system commands during routine operations, without displaying execution details to the user. Once configured, such files are rarely revisited unless an obvious runtime error occurs, creating a blind spot for attackers to exploit. We formalize our attack paradigm into two stages, including initial infection and persistence. Based on these stages, we analyze the practicality of the attack execution process and identify the relevant exploitation techniques. Furthermore, we analyze the impact of Cuckoo Attack, which can not only invade the developer's local computer but also achieve supply chain attacks through the spread of configuration files. We contribute seven actionable checkpoints for vendors to evaluate their product security. The critical need for these checks is demonstrated by our end-to-end Proof of Concept, which validated the proposed attack across nine mainstream Agent and AI-IDE pairs.