CrowdStrike · Agent Attacks
Five new traps
have opened around coding agents.
CrowdStrike’s threat-intelligence team has published five new prompt-injection techniques specific to coding agents such as Codex, Claude Code and Copilot. Unlike chat-era jailbreaks, these are aimed at operations that chain external tools through MCP (Model Context Protocol). End users are not affected, but any team running these agents in production has enough here to spend this week rethinking approval, rollback and audit trails.
The Shift
Prompt injection moved
from “input” to “chain”
Classical prompt injection was single-turn and lived in the chat input box: type “ignore your instructions and…” and hope the model listens. The defensive playbook — input sanitization, system-prompt hardening, output filtering — was aimed at that single entry point, and it worked well enough. AI Navigate’s prompt-injection article lays out that classical picture.
CrowdStrike’s new set overturns that picture. The attack surface is no longer the chat input; it is whatever else the coding agent reads on its own — GitHub Issues, package READMEs, MCP tool outputs, dependency metadata, or shell scripts whose effects cannot be undone. The user may distrust their own input, but the same skepticism does not extend to the text the agent ingests as raw “material.”
| Before (chat-era injection) | Now (five agent-era techniques) |
|---|---|
| The attack enters via the chat box | Embedded in Issue / README / MCP output |
| Defenses: sanitization + system prompt | Requires human approval, permission split, sandbox |
| Damage stops at “wrong answer” | Reaches code edits, deps, actual shell |
| Audit = chat history is enough | Need to reconcile tool calls with diffs |
The dangerous thing is not the input.
It is what the agent reads next.
The Five
Reading the five techniques
from a practitioner’s seat
Bundled by defense, not by PoC.
Issue / PR poisoning
Ask the agent to “fix this Issue” and the Issue body flows straight into the plan. Anyone able to open an Issue on your repo can put instructions in front of your agent — that is a privilege you never intended to grant.
Dependency README / metadata poisoning
The description of an npm / PyPI / crates.io package can hide instructions only the agent reads. Agents evaluating new dependencies read the README first — right where the trap sits.
MCP tool output poisoning
An external MCP server can embed instructions in its output, hijacking the agent’s next step. If you connect low-trust MCPs, poisoned outputs can steer the whole decision tree.
Transitive-dependency rewriting
Not the deps you named, but the deps those deps pull in. Rewriting their metadata gets the agent to propose adding new packages, hiding instructions deeper than any surface review reaches.
Non-reversible shell paths
Steer the agent into rm -rf, destructive DB migrations, or actions that cannot be rolled back. The point is to attack the reversibility assumption itself.
By The Numbers
Three numbers for sizing the threat
Who It Hits
Who this touches, and how
Teams running coding agents in production take the direct hit. In particular, workflows where Claude Code or Codex is driven from GitHub Issues (auto-fix PR generation, bot-style Issue handling) are structurally exposed to the combination of #1 and #3. In practice, the shine of “this is working great” usually postpones audit and permission work; this week is the right time to revisit.
PM and IT get one more line on the review checklist. The AI-tooling procurement checklist now needs three new questions: does the agent read external data? which tools can it call with that data? does it have permission to take non-reversible actions? The same three apply to Codex, Claude Code, ChatGPT Agent, Notion External Agents and Writer Triggers — all the agent surfaces that piled up in July.
Individual users, chat-only users get little direct exposure. But the disclosure is a cheap way to update your mental model: giving shell-capable agents access to third-party Issues starts to look different when you know these five paths exist. That kind of resolution matters as agents spread through the back half of 2026.
What's Next
Three reviews to do this week
Recommended actions, in order. ① Pin non-reversible actions to human approval. rm -rf, destructive DB migrations, production deploys, non-rollback API calls — pull these out of the agent’s autonomous path and route them through a Slack / dashboard one-click approval. This single move disarms most of #5 by itself.
② Make the MCP trust boundary explicit. Inventory every MCP server you have connected and label it internal / official / third-party / user-supplied. Only allow output-into-input chaining for internal and official. Doing this in a single week meaningfully shrinks the attack surface for #3.
③ Audit diffs against execution logs. Route every shell the agent runs, and every file diff it produces, into a dashboard a human actually looks at. Even post-hoc, being able to answer “why did we end up with this diff?” is what makes #1, #2 and #4 tractable. Combine CrowdStrike’s original report with the counterpoint below to size the response.
Counterpoint
Limits and the other side
First, “five techniques” is not a final number. CrowdStrike bundled them together this week, but each has been sketched somewhere before; the value here is the “agent-era attack surface” framing, not a new taxonomy. New paths will show up (CI-secret capture, IDE-plugin injection, extension marketplaces) and “defend the five” will feel dated in a month.
Second, there is a vendor-marketing angle. CrowdStrike sells endpoint detection and threat intelligence, so a story about “agents are dangerous” is tailwind for their catalog. That does not weaken the underlying techniques, but read the “here is what to buy” part of any coverage with a raised eyebrow.
Third, there is overreaction risk. All five techniques can be contained by human approval, permission split and audit. That is another way of saying you can keep using Claude Code and Codex — you just have to run them behind guardrails. Giving up the productivity gain is not rational today; what you need is an operational design that does not panic on the first incident.