Executive Summary
In early 2024, cybersecurity researchers at Aikido disclosed a critical supply-chain vulnerability affecting major AI coding tools such as Google Gemini, Claude Code, OpenAI Codex, and GitHub AI Inference. The flaw enables attackers to inject malicious prompts into software automation workflows like GitHub Actions, causing integrated AI agents with elevated privileges to execute unauthorized commands. Cunning use of crafted commit messages and pull requests can trick large language models into treating these inputs as actionable instructions, leading to code modifications, shell command execution, and privilege escalation within software repositories. The vulnerability, reported via responsible disclosure, has prompted urgent fixes in some tools, but similar weaknesses remain present in other platforms.
This incident highlights the expanding risks of AI-powered automation in the software development supply chain. With organizations increasingly relying on LLM integrations, the potential for prompt injection and privilege abuse creates new avenues for compromise, underscoring the urgency for robust controls, regular audit, and architectural safeguards around agentic AI workflows.
Why This Matters Now
The widespread adoption of AI-driven development tools dramatically expands the attack surface for prompt injection and supply chain compromise. As LLMs are granted operational authority in CI/CD workflows, security failures can quickly escalate, enabling attackers to hijack critical processes or steal credentials. Organizations must act now to reassess controls around AI integrations and mitigate emerging threats.
Attack Path Analysis
The attack begins when malicious prompt injections are submitted to agentic AI tools integrated within software development pipelines, exploiting trust in user-supplied content. These AI agents, holding high-level privileges, interpret the prompts as commands, escalating attacker control within the affected environment. With privileged access, attackers may manipulate workflows or extract secrets, possibly pivoting laterally within interconnected services or repos. Command and control is maintained through further prompt interactions or embedded instructions, enabling persistent access. Sensitive data, credentials, or tokens are exfiltrated via outbound traffic or issue/comment export functions. Ultimately, attackers achieve impact by leaking tokens, modifying code, or publishing malicious updates, disrupting business operations or supply chain integrity.
Kill Chain Progression
Initial Compromise
Description
Adversaries submit crafted prompt injections via pull requests, issues, or commits, triggering AI agents to execute unauthorized actions in CI/CD workflows.
Related CVEs
CVE-2025-58372
CVSS 9.8A vulnerability in Roo Code versions 3.25.23 and below allows prompt injection attacks leading to arbitrary code execution.
Affected Products:
Roo Code Inc. Roo Code – <= 3.25.23
Exploit Status:
proof of conceptCVE-2025-54794
CVSS 7.6A prompt injection vulnerability in Claude AI allows attackers to execute arbitrary code via crafted code blocks.
Affected Products:
Anthropic Claude AI – All versions prior to fix
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Spearphishing Attachment
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Command and Scripting Interpreter
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Valid Accounts
Data Manipulation: Stored Data Manipulation
Modify Authentication Process: Pluggable Authentication Modules
Steal Web Session Cookie
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Impact of Software Changes
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10(2)
CISA ZTMM 2.0 – Automated Threat and Anomaly Detection
Control ID: 2.2.2
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical supply-chain vulnerability in AI coding tools enables prompt injection attacks compromising GitHub Actions workflows and development automation pipelines.
Information Technology/IT
Agentic AI integration into IT workflows creates dangerous privilege escalation paths allowing malicious LLM instructions to execute system commands.
Financial Services
AI-driven development tools pose severe compliance risks with potential GitHub token leakage threatening NIST and regulatory requirements for secure systems.
Computer/Network Security
Zero trust segmentation and threat detection capabilities undermined by LLM inability to distinguish between data content and malicious instructions.
Sources
- More evidence your AI agents can be turned against youhttps://cyberscoop.com/ai-coding-tools-can-be-turned-against-you-aikido-github-prompt-injection/Verified
- Understanding prompt injectionshttps://openai.com/safety/prompt-injections/Verified
- Vulnerability Summary for the Week of March 31, 2025https://www.cisa.gov/news-events/bulletins/sb25-097Verified
- GitHub - AikidoSec/intel: We track 5 million open-source packages, exposing vulnerabilities before they get CVE numbers.https://github.com/AikidoSec/intelVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Zero Trust controls such as network segmentation, egress policy enforcement, east-west traffic security, and anomaly detection would have significantly reduced attacker mobility and data exposure throughout this supply-chain attack. CNSF’s granular workloads isolation and egress controls limit the blast radius and enable rapid detection of abnormal AI agent behavior in the pipeline.
Control: Zero Trust Segmentation
Mitigation: Restricted unauthorized access attempts from supply chain entry points.
Control: Multicloud Visibility & Control
Mitigation: Detected abnormal privilege operations and agent behaviors.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized east-west traffic between code pipelines and adjacent services.
Control: Cloud Firewall (ACF)
Mitigation: Detected and possibly blocked unauthorized outbound command and control attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized data exfiltration from CI/CD environments.
Rapidly detected and alerted on high-impact workflow or data changes.
Impact at a Glance
Affected Business Functions
- Software Development
- IT Operations
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive code repositories and intellectual property due to unauthorized code execution.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and strict access policies between CI/CD AI agents and sensitive cloud workloads.
- • Implement comprehensive egress filtering and outbound policy enforcement for all AI-driven workflow components.
- • Establish continuous anomaly detection and baselining to spot irregular agent behaviors and privilege changes.
- • Centralize multicloud visibility and maintain contextual monitoring for privilege escalations and workflow abuse.
- • Review AI tool and CI/CD workflow integrations regularly to minimize privilege scopes and exposure to untrusted inputs.
