# New video: hacking AI coding assistants and IDEs. #bugbounty #ai

## Метаданные

- **Канал:** NahamSec
- **YouTube:** https://www.youtube.com/watch?v=Gg6cG2TdqX0
- **Дата:** 18.05.2026
- **Длительность:** 1:52
- **Просмотры:** 5,138
- **Источник:** https://ekstraktznaniy.ru/video/51728

## Транскрипт

### Segment 1 (00:00 - 01:00) []

these things have sandboxes, right? Every single one of these times that I use cloud code, I'm pretty locked down to one folder, and it's asking me, you know, a bunch of questions. How do you break out of those, or does that even matter for what you're doing? Yeah, so sandboxes definitely matter. It's probably one of the hardest parts of the attacking the IDEs and the authentic agents. And essentially, what it is that the developers of these products have specifically designed these sandboxes to be networked network sandboxes, right? So any external network call that you're making to the internet requires user confirmation. And so that can be a real problem when you're trying to attack these because anytime you're wanting to exfiltrate data, which is our third step, right? The input, and you get the data and then you try and exfiltrate it, it can stop that pretty well. So you've got to be really creative with the ways in which you exfiltrate data, right? So some of them allow um DNS resolutions. So some of the sandboxes allow DNS resolutions. And so one way that I came up with, you could basically time the DNS resolutions to an external server, and you know, every second send one or every second don't send one, and you could encode that in binary, and then you could say take your data, encode that into a DNS resolution, and then you're transmitting binary, which is getting past the sandbox. There's some other kind of tricky ways to come up with um bypassing the sandbox. Another one is basically the way I approach it is you've got to map out every single command that you can run with no user confirmation. So a lot of coding agents will let you run, you know, list or print working directory, or change directory with no user confirmation because these are relatively benign commands. So you've then got to work out, okay, here are all the commands that I can run, and here