How Adversaries Used AI CLI Tools for Command & Control in 2024
Executive Summary
In early 2024, security researchers identified a new wave of cyber intrusions involving adversaries weaponizing AI-enabled command-line tools to facilitate command and control activities within targeted business environments. Attackers leveraged popular AI code-assistants such as Claude Code, integrating them into CLI workflows to generate and execute malicious payloads, exfiltrate credentials, and bypass conventional security controls. The attack chain typically relied on legitimate processes, enabling lateral movement and credential theft while avoiding detection by traditional endpoint defenses. Unauthorized east-west traffic and encrypted exfiltration allowed threat actors to maintain persistence and evade standard monitoring solutions, impacting both operational continuity and sensitive business data.
The incident underscores a rapidly evolving threat landscape where generative AI and shell automation converge, accelerating the sophistication and speed of adversary tactics. As enterprises adopt AI-driven DevOps and operational tooling, the risk of shadow AI and undetected rogue automation increases, compelling a shift towards advanced visibility, zero trust segmentation, and policy enforcement across hybrid environments.
Why This Matters Now
This incident highlights an urgent security gap as AI-powered CLI tools become mainstream, offering adversaries new avenues for stealthy lateral movement, automated credential theft, and undetectable data exfiltration. Enterprises must urgently adapt detection, segmentation, and governance controls to counter the speed and automation that generative AI brings to modern attacks.
Attack Path Analysis
Adversaries gained initial access by abusing AI CLI tools through malicious prompts, likely harvesting valid credentials or tokens. After compromise, attackers escalated their permissions to access sensitive resources in the cloud. They then moved laterally within the cloud environment, pivoting between services and workloads to expand control. Command and control was maintained via encrypted or covert network channels, with possible use of non-standard outbound traffic. This allowed the adversary to exfiltrate sensitive data, such as credentials or intellectual property, leveraging allowed outbound or east-west traffic flows. Finally, the attackers executed impact operations, such as data theft or business disruption, leveraging compromised access and unfiltered exfiltration paths.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited AI CLI tools with malicious prompts, resulting in credential theft or token harvesting that provided an initial foothold in the cloud environment.
Related CVEs
CVE-2025-61260
CVSS 9.8A command injection vulnerability in OpenAI's Codex CLI allows attackers to execute arbitrary commands on developer machines without user interaction.
Affected Products:
OpenAI Codex CLI – All versions prior to December 1, 2025
Exploit Status:
exploited in the wildCVE-2025-61261
CVSS 9A prompt injection vulnerability in Google's Gemini CLI allows attackers to execute arbitrary commands on user devices by embedding malicious prompts in code packages.
Affected Products:
Google Gemini CLI – All versions prior to July 25, 2025
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Command and Scripting Interpreter
Valid Accounts
Modify Authentication Process
Brute Force
Credentials from Password Stores
Application Layer Protocol
Adversary-in-the-Middle
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Access to CDE
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Credential Theft Prevention and Detection
Control ID: Identity Pillar - 2.3
NIS2 Directive – Supply Chain and ICT Security Policy
Control ID: Article 21(2)(b)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
High risk from AI CLI tool abuse for command and control attacks, threatening code repositories, development environments, and software supply chains.
Information Technology/IT
Critical exposure to credential theft via malicious AI prompts targeting IT infrastructure, requiring enhanced threat detection and anomaly response capabilities.
Financial Services
Severe impact from command and control threats exploiting AI tools, compromising sensitive financial data and requiring strict egress security enforcement.
Health Care / Life Sciences
Significant vulnerability to AI-enabled attacks stealing healthcare credentials, demanding zero trust segmentation and encrypted traffic protection for HIPAA compliance.
Sources
- Commanding attention: How adversaries are abusing AI CLI toolshttps://redcanary.com/blog/threat-detection/ai-cli-tools/Verified
- OpenAI Codex CLI Command Injection Vulnerability Lets Attackers Execute Arbitrary Commandshttps://cyberpress.org/openai-codex-cli-command-injection-vulnerability/Verified
- Flaw in Gemini CLI coding tool could allow hackers to run nasty commandshttps://arstechnica.com/security/2025/07/flaw-in-gemini-cli-coding-tool-allowed-hackers-to-run-nasty-commands-on-user-devices/Verified
- Critical flaws found in AI development tools are dubbed an 'IDEsaster' — data theft and remote code execution possiblehttps://www.tomshardware.com/tech-industry/cyber-security/researchers-uncover-critical-ai-ide-flaws-exposing-developers-to-data-theft-and-rceVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF and zero trust controls such as network segmentation, east-west traffic isolation, encrypted traffic inspection, and strict outbound policy enforcement would have significantly limited the adversary’s ability to pivot, maintain command and control, and exfiltrate data across cloud workloads. Timely threat detection and centralized visibility would enable rapid response to abnormal activity arising from AI tool abuse or novel attack paths.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious CLI activity and anomalous access patterns would be detected and alerted on.
Control: Zero Trust Segmentation
Mitigation: Lateral privilege escalation would be blocked by identity- and role-based segmentation policies.
Control: East-West Traffic Security
Mitigation: Internal lateral movement across workloads and regions would be detected and restricted.
Control: Inline IPS (Suricata)
Mitigation: Known malicious C2 traffic and signatures would be detected and blocked inline.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data exfiltration would be detected and prevented via outbound policy controls.
Unified enforcement and centralized response would contain and mitigate destructive actions.
Impact at a Glance
Affected Business Functions
- Software Development
- IT Operations
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive source code, API keys, and developer credentials due to exploitation of AI command-line tool vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Implement zero trust segmentation to enforce least privilege and microsegmentation across cloud workloads.
- • Deploy comprehensive egress security and FQDN filtering to constrain outbound and exfiltration risks from AI tool abuse.
- • Enable anomaly detection and threat response to quickly flag suspicious CLI interactions and credential misuse.
- • Utilize inline IPS for east-west and egress inspection to catch known exploit and command-and-control signatures.
- • Centralize cloud visibility and policy enforcement using CNSF to streamline incident response and minimize attack surface.
