The Rules File Backdoor Detector
Static security scanner that detects AI configuration file attacks. Hardpoint finds malicious instructions hidden in .cursorrules, CLAUDE.md, mcp.json, and other AI config files that traditional security tools miss.
The Rules File Backdoor attack (24 CVEs in 2025) exploits AI configuration files to persist malicious instructions. Attackers hide commands in:
- HTML comments that appear invisible to human reviewers
- JSON
_commentfields that look like documentation - Content after benign introductions that creates false trust
Traditional security scanners don't detect these attacks because they don't understand AI config file semantics. Snyk finds bugs in code. GitHub Advanced Security finds secrets. Hardpoint finds backdoors in AI behavior.
go install github.com/dotsetlabs/hardpoint/cmd/hardpoint@latest# Scan current directory
hardpoint scan
# Scan specific path
hardpoint scan /path/to/project
# Output as SARIF for CI/CD integration
hardpoint scan --format sarif --output results.sarif# Trust a verified AI config file (creates hash)
hardpoint trust CLAUDE.md
# Verify file hasn't changed
hardpoint verify
# List trusted files
hardpoint trust --listDetection of malicious instructions hidden in file structure. This is Hardpoint's flagship detection for Rules File Backdoor attacks.
| Detection | Description |
|---|---|
| Comment Divergence | Malicious patterns in comments while visible content looks benign |
| Hidden Sections | Instructions in HTML <!-- --> or JSON _comment fields |
| Length Anomaly | Hidden content exceeds visible content by 2x+ |
| Pattern After Benign | Malicious content after 10+ lines of legitimate content |
Detection of shell metacharacters in MCP server configurations that could allow command injection attacks.
| Detection | Description |
|---|---|
| Command Substitution | $(...) and backtick patterns |
| Command Chaining | &&, ||, ; operators |
| Process Substitution | >(...) and <(...) patterns |
Detection of Base64 or otherwise encoded content that may hide malicious instructions.
Detection of malicious commands in git hooks that could compromise developer environments.
| Rule | Description |
|---|---|
| GIT-001 | Malicious command patterns (curl|sh, /dev/tcp, nc -e) |
| GIT-002 | Credential exfiltration attempts |
| GIT-003 | Unexpected network access |
| GIT-004 | Obfuscated content in hooks |
| GIT-005 | Suspicious git remote URLs |
| GIT-006 | Suspicious credential helpers |
| File | Description |
|---|---|
.cursorrules |
Cursor editor AI rules |
CLAUDE.md |
Claude Code project context |
AGENTS.md |
Multi-agent instructions |
mcp.json |
MCP server configuration |
.github/copilot-instructions.md |
Copilot custom instructions |
.windsurfrules |
Windsurf AI rules |
.aider* |
Aider configuration |
| Rule ID | Category | Severity | Description |
|---|---|---|---|
| AI-004 | Encoded Content | Medium | Base64 or otherwise encoded instructions |
| AI-005 | MCP Injection | Critical | Command injection in MCP configs |
| AI-008 | Semantic Hijacking | Critical | Hidden instructions in comments/structure |
| GIT-001 | Git Hooks | Critical | Malicious commands in git hooks |
| GIT-002 | Git Hooks | Critical | Credential exfiltration in hooks |
| GIT-003 | Git Hooks | Medium | Unexpected network access |
| GIT-004 | Git Hooks | High | Obfuscated content in hooks |
| GIT-005 | Git Hooks | Medium | Suspicious git remote URLs |
| GIT-006 | Git Hooks | High | Suspicious credential helpers |
- name: Hardpoint Security Scan
run: |
go install github.com/dotsetlabs/hardpoint/cmd/hardpoint@latest
hardpoint scan --format sarif --output hardpoint.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: hardpoint.sarifhardpoint:
script:
- go install github.com/dotsetlabs/hardpoint/cmd/hardpoint@latest
- hardpoint scan --format sarif --output gl-code-quality-report.json
artifacts:
reports:
codequality: gl-code-quality-report.json# Install hook
hardpoint hook install
# Or run manually before commit
hardpoint scan --exit-code# .hardpoint.yaml
scan:
paths:
- .
exclude:
- node_modules
- vendor
trust:
verify_on_scan: true
output:
format: terminal # terminal, json, sarif| What Hardpoint Does | What Other Tools Do |
|---|---|
| Scans AI-specific config files | Scan general source code |
| Detects semantic hijacking in comments | Pattern match without context |
| Understands Rules File Backdoor attack | Unaware of AI config threats |
| Config hash verification workflow | No AI config trust model |
Hardpoint is designed for speed. Benchmarks run against popular open-source repositories:
| Repository | Files | AI Configs | Scan Time | Findings |
|---|---|---|---|---|
| next.js | 26,568 | 2 | 33ms | 0 |
| supabase | 13,808 | 0 | 66ms | 0 |
| shadcn/ui | 8,022 | 0 | 4ms | 0 |
| react | 6,982 | 0 | 4ms | 0 |
| langchain | 2,975 | 2 | 26ms | 0 |
| openai-python | 1,220 | 0 | 4ms | 0 |
| anthropic-cookbook | 417 | 3 | 8ms | 0 |
| mcp/servers | 156 | 1 | 4ms | 0 |
Total: 60,148 files scanned in ~150ms across 8 repositories with 8 AI config files.
Tested against real-world AI configuration files from major open-source projects:
- 8 AI config files scanned (CLAUDE.md, AGENTS.md) from Next.js, LangChain, Anthropic Cookbook, and MCP servers
- 0 false positives on legitimate configuration content
- All files contained standard project documentation and AI assistant instructions
The semantic hijacking detector (AI-008) uses a confidence scoring system to minimize false positives while catching real attacks. Findings below the threshold are not reported.
Hardpoint focuses on static analysis of AI configuration files. For runtime protection of AI tool operations, see Overwatch.
SCAN (Hardpoint) → CONTROL (Overwatch)
Defend against Stop Tool Shadowing
Rules File Backdoor and Rogue Agents
MIT