What is the Blackbox AI VS Code extension vulnerability?

Security researchers at ERNW GmbH demonstrated that the Blackbox AI VS Code agent extension can be exploited through indirect prompt injection. An attacker can embed malicious instructions in files such as PNG images, PDFs, or Python source code to achieve root-level access.

How does the PNG image attack work?

The extension includes OCR that reads text from images. A researcher embedded malicious tool-calling instructions inside a PNG image. The extension read them via OCR, downloaded a reverse shell binary, and executed it. Root privileges were achieved through emotional manipulation of the AI agent.

Is the vulnerability patched?

No. As of March 2026, no patch, security advisory, or acknowledgment has been issued by Blackbox AI. The researcher confirmed the attacks still worked on the latest version at time of publication.

What CVEs are assigned to Blackbox AI?

Only CVE-2024-48139, a prompt injection in the chatbox rated 7.5 High. No CVEs have been assigned for the ERNW root-level RCE or VerSprite NTLM hash theft and plaintext data exfiltration findings.

What is the plaintext HTTP data exfiltration issue?

VerSprite discovered the extension sends all project files via plaintext HTTP POST to an Oracle-owned IP address. Any attacker in a man-in-the-middle position can intercept the full contents of a developers project files.

Has Blackbox AI responded to security researchers?

No. VerSprite contacted them August 2025 with no response. ERNW tried three email addresses plus X/Twitter starting November 2025, also with no response. No bug bounty program exists.

How does this compare to Claude Code vulnerabilities?

Anthropic patched both Claude Code CVEs before public disclosure and collaborated with researchers. Microsoft patched a critical GitHub Copilot vulnerability in August 2025. Blackbox AI has provided zero response and zero patches over seven months.

Should I uninstall the Blackbox AI extension?

ERNW recommends halting usage immediately. A third-party advisory from technews.tax also recommends immediate halt of usage. No patch or fix timeline exists.

2 posts tagged with "Prompt Injection"

Prompt injection attacks targeting AI agents and LLM applications

View All Tags

Your AI Copilot Is the Newest Attack Surface

March 11, 2026 · 15 min read

Dhayabaran V

Barrack AI

Four distinct security incidents in early 2026 prove that AI assistants have become viable, weaponizable attack vectors. Researchers demonstrated zero-click data exfiltration through Excel's Copilot Agent, full system compromise via Chrome's Gemini panel, session hijacking of Microsoft Copilot Personal, and 1Password vault takeover through Perplexity's agentic browser. Each exploits the same fundamental problem: AI agents inherit broad permissions and cannot reliably distinguish legitimate instructions from attacker-controlled content. The industry data confirms the gap: 83% of organizations plan to deploy agentic AI, but only 29% feel ready to secure it.

Blackbox AI's VS Code extension can give attackers root access to your machine. The company has not responded in seven months.

March 9, 2026 · 18 min read

Dhayabaran V

Barrack AI

A security researcher at ERNW GmbH sent a crafted PNG image to Blackbox AI's VS Code extension. The extension read the image, followed the hidden instructions inside it, downloaded a reverse shell binary from an attacker-controlled server, executed it, and then, after being guilt-tripped into apologizing, ran the binary again with sudo privileges. Root access. From a PNG.

The Blackbox AI extension has been installed over 4.7 million times according to the company's own website. It runs shell commands, edits files, and launches a browser on your machine. Three independent security research teams have now documented critical vulnerabilities in it. The company behind it has not responded to a single disclosure attempt in over seven months.