Clone This Repo and I Own Your Machine
Indirect prompt injection in agentic coding tools can lead to full system compromise because authorized tools allow LLMs to run shell commands, access files, and make network calls without clear user visibility.
An attacker can gain code execution using a completely normal looking repository by chaining trusted setup instructions, routine error handling, and automated agent behavior.
The malicious payload does not exist in the repository at all and is instead fetched at runtime from a DNS TXT record, making it invisible to code review, static scanners, and even the agent itself.
The result is a reverse shell running as the developer’s own user, exposing credentials, API keys, and allowing persistence, all triggered by the agent attempting to fix a harmless looking setup error.