共有:

CrowdStrike · Agent Attacks

Five new traps
have opened around coding agents.

CrowdStrike’s threat-intelligence team has published five new prompt-injection techniques specific to coding agents such as Codex, Claude Code and Copilot. Unlike chat-era jailbreaks, these are aimed at operations that chain external tools through MCP (Model Context Protocol). End users are not affected, but any team running these agents in production has enough here to spend this week rethinking approval, rollback and audit trails.

AI Navigate Editorial2026.07.127 min read

CODING AGENT ATTACK SURFACE Agent Codex / Claude Code Issue / PR Package README MCP tool output Transitive deps non-reversible shell #1 #2 #3 #4 #5
01

The Shift

Prompt injection moved
from “input” to “chain”

Classical prompt injection was single-turn and lived in the chat input box: type “ignore your instructions and…” and hope the model listens. The defensive playbook — input sanitization, system-prompt hardening, output filtering — was aimed at that single entry point, and it worked well enough. AI Navigate’s prompt-injection article lays out that classical picture.

CrowdStrike’s new set overturns that picture. The attack surface is no longer the chat input; it is whatever else the coding agent reads on its own — GitHub Issues, package READMEs, MCP tool outputs, dependency metadata, or shell scripts whose effects cannot be undone. The user may distrust their own input, but the same skepticism does not extend to the text the agent ingests as raw “material.”

Before (chat-era injection)Now (five agent-era techniques)
The attack enters via the chat boxEmbedded in Issue / README / MCP output
Defenses: sanitization + system promptRequires human approval, permission split, sandbox
Damage stops at “wrong answer”Reaches code edits, deps, actual shell
Audit = chat history is enoughNeed to reconcile tool calls with diffs

The dangerous thing is not the input.
It is what the agent reads next.


02

The Five

Reading the five techniques
from a practitioner’s seat

Bundled by defense, not by PoC.

01

Issue / PR poisoning

Ask the agent to “fix this Issue” and the Issue body flows straight into the plan. Anyone able to open an Issue on your repo can put instructions in front of your agent — that is a privilege you never intended to grant.

02

Dependency README / metadata poisoning

The description of an npm / PyPI / crates.io package can hide instructions only the agent reads. Agents evaluating new dependencies read the README first — right where the trap sits.

03

MCP tool output poisoning

An external MCP server can embed instructions in its output, hijacking the agent’s next step. If you connect low-trust MCPs, poisoned outputs can steer the whole decision tree.

04

Transitive-dependency rewriting

Not the deps you named, but the deps those deps pull in. Rewriting their metadata gets the agent to propose adding new packages, hiding instructions deeper than any surface review reaches.

05

Non-reversible shell paths

Steer the agent into rm -rf, destructive DB migrations, or actions that cannot be rolled back. The point is to attack the reversibility assumption itself.

03

By The Numbers

Three numbers for sizing the threat

5 techniques
disclosed together by CrowdStrike
4 vectors
Issue / README / MCP / transitive
1 vector
non-reversible shell execution
04

Who It Hits

Who this touches, and how

Teams running coding agents in production take the direct hit. In particular, workflows where Claude Code or Codex is driven from GitHub Issues (auto-fix PR generation, bot-style Issue handling) are structurally exposed to the combination of #1 and #3. In practice, the shine of “this is working great” usually postpones audit and permission work; this week is the right time to revisit.

PM and IT get one more line on the review checklist. The AI-tooling procurement checklist now needs three new questions: does the agent read external data? which tools can it call with that data? does it have permission to take non-reversible actions? The same three apply to Codex, Claude Code, ChatGPT Agent, Notion External Agents and Writer Triggers — all the agent surfaces that piled up in July.

Individual users, chat-only users get little direct exposure. But the disclosure is a cheap way to update your mental model: giving shell-capable agents access to third-party Issues starts to look different when you know these five paths exist. That kind of resolution matters as agents spread through the back half of 2026.

05

What's Next

Three reviews to do this week

Recommended actions, in order. ① Pin non-reversible actions to human approval. rm -rf, destructive DB migrations, production deploys, non-rollback API calls — pull these out of the agent’s autonomous path and route them through a Slack / dashboard one-click approval. This single move disarms most of #5 by itself.

Make the MCP trust boundary explicit. Inventory every MCP server you have connected and label it internal / official / third-party / user-supplied. Only allow output-into-input chaining for internal and official. Doing this in a single week meaningfully shrinks the attack surface for #3.

Audit diffs against execution logs. Route every shell the agent runs, and every file diff it produces, into a dashboard a human actually looks at. Even post-hoc, being able to answer “why did we end up with this diff?” is what makes #1, #2 and #4 tractable. Combine CrowdStrike’s original report with the counterpoint below to size the response.

06

Counterpoint

Limits and the other side

First, “five techniques” is not a final number. CrowdStrike bundled them together this week, but each has been sketched somewhere before; the value here is the “agent-era attack surface” framing, not a new taxonomy. New paths will show up (CI-secret capture, IDE-plugin injection, extension marketplaces) and “defend the five” will feel dated in a month.

Second, there is a vendor-marketing angle. CrowdStrike sells endpoint detection and threat intelligence, so a story about “agents are dangerous” is tailwind for their catalog. That does not weaken the underlying techniques, but read the “here is what to buy” part of any coverage with a raised eyebrow.

Third, there is overreaction risk. All five techniques can be contained by human approval, permission split and audit. That is another way of saying you can keep using Claude Code and Codex — you just have to run them behind guardrails. Giving up the productivity gain is not rational today; what you need is an operational design that does not panic on the first incident.