The AI You Hired to Write Code Just Got a Side Job You Didn't Approve

You asked your AI coding assistant to review some open-source code for security holes. It found one — and then immediately ran the attacker's malicious script on your laptop. You asked it to grab a popular Python library. It made up a name that sounded right, fetched a package that actually exists with that fake name, and installed malware written by someone who predicted exactly what your AI would hallucinate. You opened a GitHub issue on a public repository you maintain. An AI agent you configured to help with support automatically read that issue, followed a hidden instruction embedded in it, and leaked data from your company's private repositories.

These aren't theoretical attacks. They happened in the last 90 days. To real developers. Using the AI tools everyone told them would make them more productive.

The thing you invited into your codebase to help you work faster is now being remotely controlled by attackers who never needed your password.

The Helper You Trusted Is Following Instructions You Never Gave

Here's what's actually happening: AI coding assistants — Copilot, Cursor, Cody, all of them — don't just read code. They execute it. They follow instructions. They fetch dependencies. And they can't reliably tell the difference between instructions you gave them and instructions an attacker hid inside the thing you asked them to look at.

Researchers just proved that six major AI coding assistants can be hijacked using something called a symlink attack — a booby-trapped code project that quietly redirects the AI to run commands the developer never intended. You clone a repo that looks legitimate. You ask your AI to review it or help refactor something. The AI reads a hidden configuration file the attacker planted, follows it, and runs code that exfiltrates your environment variables, AWS credentials, or SSH keys. You never clicked "yes." The AI just did what it was designed to do: follow instructions in the code.

Then there's HalluSquatting. AI assistants hallucinate package names constantly — they make up names for libraries that don't exist yet but sound like they should. Attackers are now pre-registering those fake names on NPM and PyPI with real malicious packages. When your AI hallucinates the name and tries to install it, the malware is already waiting. This isn't a supply chain attack. It's a supply chain trap — and your AI is walking into it on your behalf.

Worse: even AI agents specifically built to find malicious code are getting tricked into running it. Security-focused agents designed to scan repos for vulnerabilities are being manipulated by the very code they're supposed to analyze. Ask the AI to audit something, and it might execute the exploit instead.

The tool you're using to move faster just became the thing slowing you down — because now you can't trust what it does when you're not looking.

Why This Wasn't a Problem Six Months Ago and Why It's Everywhere Now

AI coding assistants used to be autocomplete. Now they're autonomous. They don't just suggest — they act. They open files, install packages, read issues, execute scripts, make API calls. That shift happened fast, and security didn't keep up.

Developers adopted these tools at massive scale in 2024. According to GitHub, over one million developers are now using Copilot in production environments. Startups are building entire products where AI agents manage repos, triage bugs, and merge pull requests without human review. The attack surface isn't just bigger — it's agentic. The AI has permissions. It has access. And it takes action.

At the same time, attackers figured out that they don't need to hack the developer anymore — they can hack the assistant. They're not exploiting your mistakes. They're exploiting the AI's inability to distinguish between helpful code and hostile instructions. The AI doesn't have skepticism. It has context windows and pattern matching.

And because most developers don't realize their AI assistant is executing anything at all, they're not defending against it. You wouldn't run curl | bash on a random script. But your AI does it for you — and you didn't even know to watch for it.

The Three-Minute Audit That Stops This Before It Starts

You can't un-adopt AI coding assistants. But you can lock down what they're allowed to touch. Here's the framework. Run it once. Update it every time you add a new assistant or project.

1. Audit what your AI can execute.  

Open the settings for every coding assistant you use. Look for permissions related to terminal access, script execution, and file system writes. If the AI can run shell commands without asking, revoke that permission. Most assistants have a "require confirmation for execution" mode. Turn it on. You'll get one extra prompt. That prompt could save your credentials.

2. Isolate your AI's environment.  

Never let an AI assistant run with access to your production AWS keys, SSH credentials, or API tokens. Use a separate, limited-permission profile for any session where AI is active. If the AI gets compromised, it should only have access to a sandbox — not your entire infrastructure. Tools like direnv can help scope secrets to specific directories the AI never touches.

3. Review dependencies before the AI installs them.  

When your AI suggests installing a package, stop. Check if that package actually exists and has legitimate maintainers. Search for it manually on NPM, PyPI, or GitHub. If it has 12 downloads and was published last week, don't let the AI install it — even if it "sounds right." Attackers are counting on you trusting the AI's confidence.

4. Treat public repos your AI touches as untrusted input.  

If you're using an AI agent to scan, review, or interact with third-party code — especially open-source repos or GitHub issues from strangers — assume that code contains instructions meant to manipulate the AI. Don't run those workflows in an environment with access to private repositories, secrets, or internal tools. Segment it.

5. Log what your AI actually does.  

Most coding assistants don't log their actions by default. Change that. Enable logging for file access, terminal commands, and network requests your AI makes. If something goes wrong, you need to know what the AI did — not just what you asked it to do.

This audit won't take long. But skipping it means you're trusting a tool that attackers have already figured out how to hijack.

What did your AI do today?

Have you ever checked the logs, terminal history, or install list after your AI coding assistant "helped" you? Did you find anything you didn't expect?

Identity Decoded publishes every week at identity-decoded.com

Reply

Avatar

or to participate

Keep Reading