Cranium AI, a specialist in AI security and governance, has identified a high-to-critical severity exploitation technique that enables attackers to hijack agentic AI coding assistants, achieving persistent arbitrary code execution across various Integrated Development Environments (IDEs).
The discovery details a multi-stage attack that differs from traditional, often non-persistent, Large Language Model (LLM) attacks. Cranium’s research outlines a sophisticated sequence that exploits the implicit trust within AI automation workflows. Attackers can plant an indirect prompt injection in seemingly benign files like LICENSE.md or README.md within a compromised repository.
This injection allows an AI assistant to silently install malicious automation files into a user’s trusted workflow environment. Once established, these files, disguised as ordinary developer workflows, can execute arbitrary code on the victim’s machine, establish persistence across multiple IDE sessions, exfiltrate sensitive data, or propagate the attack to other repositories.
The vulnerability impacts any AI coding assistant that imports and processes untrusted data while supporting automated task execution through AI-directed file system operations. Cranium’s findings also highlight a critical “Governance Gap” in current AI tools, where existing safeguards like “human-in-the-loop” approvals are often insufficient due to mental fatigue, especially when users interact with unfamiliar code.
The implicit trust placed in automation mechanisms and the absence of sandboxing for AI-initiated file operations create a significant supply chain risk. To mitigate these risks, Cranium recommends immediate controls, including implementing global access controls to restrict AI assistants from executing automation files from untrusted sources.
Other recommendations include strict vetting policies requiring security reviews of all external repositories before they are cloned into AI-enabled IDEs, and deploying local scanners to detect persistent, malicious automation files in hidden directories.
Daniel Carroll, Chief Technology Officer at Cranium, commented on the discovery, stating, “The discovery of this persistent hijacking vector marks a pivotal moment in AI security because it exploits the very thing that makes agentic AI powerful: its autonomy. By turning an AI assistant’s trusted automation features against the user, attackers can move beyond simple chat-based tricks to execute arbitrary code that survives across multiple sessions and IDE platforms.”
Cranium has open-sourced several IDE Plugins, available at no cost, to help developers assess their risk. These plugins can be downloaded from the company’s website. Cranium AI, headquartered in the New York metropolitan area, specializes in AI security and AI governance solutions, aiming to empower organizations to adopt and scale AI technologies securely and compliantly across their entire AI supply chain.
