How Agentic AI Coding Assistants Become the Attacker's Shell
2026-05-25 • Software Engineering
Software EngineeringCryptography and Security
AI summaryⓘ
The authors studied AI coding helpers that can do tasks like editing files and running commands for developers. They found that these AIs can be tricked by hidden instructions in files or online content, making them run commands the attacker wants. The authors explain how these attacks happen, how common they are, and why current defenses don't fully solve the problem. They also suggest areas where more research is needed to protect these AI assistants.
Agentic AIPrompt injectionCoding assistantsSecurity vulnerabilitiesExternal artifactsCommand executionAI safetyAttack vectorsDefense mechanisms
Authors
Yue Liu, Yanjie Zhao, Yunbo Lyu, Ting Zhang, Haoyu Wang, David Lo
Abstract
Agentic AI coding assistants can edit files, run commands, and access the internet on behalf of developers. However, their reliance on unvetted external artifacts introduces a new attack vector. Hidden instructions in external artifacts can hijack these assistants, turning them into an attacker's shell to run unauthorized commands. In this article, we examine how these prompt injection attacks work, measure their prevalence, discuss the limitations and challenges of current defenses, and suggest future research directions.