{"id":4482,"date":"2026-06-30T18:23:14","date_gmt":"2026-06-30T18:23:14","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/30\/mozilla-shows-the-danger-of-indirect-prompt-injections-in-ai-coding-agents\/"},"modified":"2026-06-30T18:23:14","modified_gmt":"2026-06-30T18:23:14","slug":"mozilla-shows-the-danger-of-indirect-prompt-injections-in-ai-coding-agents","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/30\/mozilla-shows-the-danger-of-indirect-prompt-injections-in-ai-coding-agents\/","title":{"rendered":"Mozilla Shows the Danger of Indirect Prompt Injections in AI Coding Agents"},"content":{"rendered":"<div><img data-opt-id=1632330237  fetchpriority=\"high\" decoding=\"async\" width=\"770\" height=\"329\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2023\/07\/artificial-intelligence-7965589_1280-e1690371743614.jpg\" class=\"attachment-large size-large wp-post-image\" alt=\"AI, AWS, agents, code, AI, code, spacelift, GitLab, Duo, AI, integrating Generative AI, with DevOps, BMC, generative AI, DevOps workflows, Generative AI, model, low-code\/no-code, ChatGPT\" \/><\/div>\n<p><img data-opt-id=1351969279  fetchpriority=\"high\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2023\/07\/artificial-intelligence-7965589_1280-e1690371743614-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail wp-post-image\" alt=\"AI, AWS, agents, code, AI, code, spacelift, GitLab, Duo, AI, integrating Generative AI, with DevOps, BMC, generative AI, DevOps workflows, Generative AI, model, low-code\/no-code, ChatGPT\" \/><\/p>\n<p>A clean GitHub repository that contains no malicious code can launch an attack and fully compromise a developer\u2019s systems by using <a href=\"https:\/\/securityboulevard.com\/2025\/05\/indirect-prompt-injection-attacks-target-common-llm-data-sources\/\" target=\"_blank\" rel=\"noopener\">indirect prompt injections<\/a> to trick AI-powered coding agents like Anthropic\u2019s Claude Code into taking steps that hand control to attackers and expose a wide range of secrets.<\/p>\n<p>In a proof-of-concept (PoC) attack, Mozilla 0DIN researchers <a href=\"https:\/\/0din.ai\/blog\/clone-this-repo-and-i-own-your-machine\">Andre Hall and Miller Engelbrecht showed<\/a> how chaining a few seemingly routine agent actions can give a threat actor shell command access and persistence on a targeted developer system.<\/p>\n<p>In addition, this all happens without any warnings or alerts because the payload doesn\u2019t appear anywhere in the repository. Instead, the agent\u2019s actions lead to the malicious payload quietly being brought in from the outside.<\/p>\n<p>\u201cThis means that no scanner would ever catch it, no human reviewer would ever see it, and the agent itself would never have a chance to look at it before running it,\u201d Hall and Engelbrecht wrote. \u201cInstead, the malicious instruction is injected at runtime, pulled from DNS, after the agent has blindly trusted everything else.\u201d<\/p>\n<h3>A \u2018Serious Attack Vector\u2019<\/h3>\n<p>The PoC shows the <a href=\"https:\/\/devops.com\/prompt-injection-isnt-just-a-chat-problem-its-a-devops-threat\/\" target=\"_blank\" rel=\"noopener\">inherent danger of indirect prompt injections<\/a>, a tool that bad actors use by embedding the malicious instructions in outside content that an agent processes rather than injecting malicious instructions directly from the user\u2019s input.<\/p>\n<p>\u201cIndirect prompt injection is far more than just another chatbot problem; it is a very real and serious attack vector that can result in catastrophic damage, much of which will be irreversible,\u201d the researchers wrote.<\/p>\n<p>Analysts with The Futurum Group, writing earlier this month about research by researchers with Brave, said the <a href=\"https:\/\/futurumgroup.com\/insights\/indirect-prompt-injection-exposes-a-universal-ai-security-flaw-no-deployment-model-is-immune\/\" target=\"_blank\" rel=\"noopener\">threat from indirect prompt injections<\/a> makes the \u201cmyth that local AI is safer than cloud AI for sensitive workflows \u2026 untenable.\u201d<\/p>\n<p>\u201cIndirect prompt injection exploits a fundamental weakness in LLM architectures: the inability to enforce a boundary between instructions and data,\u201d the analysts wrote. \u201cAs enterprises accelerate GenAI adoption, this flaw creates systemic risk that no deployment model can sidestep.\u201d<\/p>\n<h3>Three Simple Steps<\/h3>\n<p>0DIN\u2019s PoC essentially compromised three basic steps that the researchers wrote \u201con their own, none of them looks like anything. The damage only shows up when they run in order.\u201d First, seemingly normal first-time setup instructions are presented by what appears to be the regular-looking malicious repository.<\/p>\n<p>Then a Python package designed to fail on the first try won\u2019t do anything until it\u2019s initialized and directs the developer to run an initialization command.<\/p>\n<p>\u201cThis is a completely ordinary pattern, and that is exactly why it works,\u201d Hall and Engelbrecht wrote.<\/p>\n<p>Doing this calls a shell script that appears to be \u201croutine cloud-platform bootstrapping\u201d but is actually controlled by the attacker, they wrote. However, the config value comes from a DNS TXT; the payload is never in the repository. Its content is piped directly to bash.<\/p>\n<h3>The Reverse Shell Is Running<\/h3>\n<p>Now the attacker, with the reverse shell running as the developer\u2019s user, gets control of the system and access to every secret in the environment, including credentials, Anthropic API keys, Amazon Web Services (AWS) keys, and GitHub tokens. It also establishes persistence in the compromised developer system by dropping an SSH key or installing a backdoor before the shell closes.<\/p>\n<p>There\u2019s also the reach it attains, according to the researchers, adding that \u201cone repo link in a job posting, a tutorial, or a Slack message hits everyone who opens it with Claude Code.\u201d<\/p>\n<p>\u201cClaude Code never decided to open a shell,\u201d the researchers wrote. \u201cIt decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw. The attacker now has an interactive shell running as the developer\u2019s own user.\u201d<\/p>\n<h3>Agents Have \u2018Everything They Need\u2019<\/h3>\n<p>The PoC shows the threats that come from indirect prompt injection used against AI agents.<\/p>\n<p>\u201cAgentic coding tools have access to everything they need for this [attack]: private data, including environment variables, credentials, API keys, and local configuration files,\u201d Hall and Engelbrecht wrote. \u201cUntrusted content, such as repositories, documentation, and error messages from recently installed packages, can inject malicious models to steal this data.\u201d<\/p>\n<p>For developers, it\u2019s important to treat setup instructions and scripts in repositories they\u2019re unfamiliar with as untrusted code, ignoring what their agent may recommend. Agents also need to show what a setup command actually will run, including the contents of scripts it invokes and anything that the script fetches at runtime, they wrote.<\/p>\n<p><a href=\"https:\/\/devops.com\/mozilla-shows-the-danger-of-indirect-prompt-injections-in-ai-coding-agents\/\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a><\/p>\n<p>\u200b<\/p>","protected":false},"excerpt":{"rendered":"<p>A clean GitHub repository that contains no malicious code can launch an attack and fully compromise a developer\u2019s systems by [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4483,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4482","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4482"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4482\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4483"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}