Overview
- Aikido Security detailed a vulnerability pattern dubbed PromptPwnd that abuses prompt injection in GitHub Actions and GitLab pipelines to trigger privileged agent tools.
- Researchers reported practical, reproducible exposures in real workflows, including findings across at least five Fortune 500 companies, and released Opengrep rules to aid detection.
- Google patched its Gemini CLI repository within days of Aikido’s disclosure, and similar risky configurations were demonstrated in tools like Claude Code and OpenAI Codex.
- A separate six‑month study, IDEsaster, disclosed 30+ flaws across AI IDEs and assistants such as Copilot, Cursor, Zed, Roo Code, Junie, Cline and others, with at least 24 CVEs assigned.
- The attack chains combine prompt injection, auto‑approved agent actions and legitimate IDE features to exfiltrate secrets or achieve remote code execution, prompting calls for least‑privilege controls, sandboxing, hardened prompts and stricter handling of untrusted inputs and MCP servers.