There is a dirty secret at the heart of the AI coding revolution. The tools we trust to write our code, manage our files, and execute our shell commands are fundamentally vulnerable to an attack class that no amount of prompt-engineering can reliably fix. A landmark paper from January 2026 — "Prompt Injection Attacks on Agentic Coding Assistants: A Systematic Analysis of Vulnerabilities in Skills, Tools, and Protocol Ecosystems" (arXiv:2601.17548) — rips the lid off this problem. And the findings should give every engineering team serious pause.

What the Paper Actually Studies

Explanatory diagram

This is a Systematization of Knowledge (SoK) paper — the security community's version of a literature review on steroids. The authors synthesized 78 recent studies spanning 2021 to 2026, specifically focused on the new class of agentic AI coding tools: systems where an LLM doesn't just suggest code, but executes shell commands, reads and writes files, calls external APIs, and manages persistent state through protocols like the Model Context Protocol (MCP).

The research covers Claude Code, GitHub Copilot, Cursor, and a range of emerging skill-based architectures. These aren't toy systems — they're the tools hundreds of thousands of engineers use daily. And they're profoundly exploitable.

The Core Vulnerability: LLMs Can't Tell Instructions from Data

The fundamental problem identified by the paper is architectural. LLMs process everything as a flat token stream. There is no hardware-enforced memory protection, no ring separation between "trusted instructions" and "untrusted data." When you ask Claude Code to read a repository's README file and that README contains carefully crafted text designed to override the agent's behavior, the model simply cannot reliably distinguish "this is content I should summarize" from "this is an instruction I should follow."

This isn't a bug in any particular product. It's a consequence of how these models work.

The paper's meta-analysis is stark: attack success rates against state-of-the-art defenses exceed 85% when adaptive attack strategies are employed. Read that again. Best-in-class defenses fail more than four times out of five when the attacker knows what defense is in place and adapts accordingly.

A Three-Dimensional Attack Taxonomy

One of the paper's genuine contributions is a clean taxonomy for understanding the attack space:

graph TD
    A[Prompt Injection Attacks on Coding Agents] --> B[Delivery Vector]
    A --> C[Attack Modality]
    A --> D[Propagation Behavior]

    B --> B1[Direct Injection]
    B --> B2[Indirect Injection]

    B1 --> B1a[Role Hijacking]
    B1 --> B1b[Context Override]
    B1 --> B1c[Instruction Negation]

    B2 --> B2a[Malicious Files in Repo]
    B2 --> B2b[Poisoned Tool Outputs]
    B2 --> B2c[Compromised Dependencies]
    B2 --> B2d[MCP Server Manipulation]

    C --> C1[Text-based]
    C --> C2[Code-embedded]
    C --> C3[Metadata-embedded]

    D --> D1[One-shot]
    D --> D2[Persistent / Self-propagating]
    D --> D3[Latent / Triggered]

Direct injection is what most people think of when they hear "prompt injection" — you directly feed malicious text to the model. But in agentic coding contexts, indirect injection is far more dangerous. An attacker doesn't need access to your terminal. They just need to get malicious content into something the agent reads: a file in a repository you clone, a web page returned by a tool call, a dependency's docstring, a CI/CD log.

The propagation dimension is particularly chilling. Self-propagating attacks — where an injected payload causes the agent to write similar payloads into other files the agent will later read — are real and have been demonstrated.

What Attackers Can Actually Do

The paper documents what successful attacks achieve in practice:

  1. Credential exfiltration: The agent is redirected to read ~/.ssh/id_rsa or environment variables and transmit them to an attacker-controlled endpoint.
  2. Code backdooring: The agent inserts subtle backdoors into code it's writing, without the developer noticing.
  3. Repository poisoning: The agent modifies other files it has write access to, spreading the attack.
  4. Privilege escalation: The agent is convinced to execute commands it should refuse, such as disabling security checks or modifying CI/CD pipelines.
  5. Data exfiltration via side channels: Encoded information is smuggled out through seemingly innocuous commit messages, log outputs, or API calls.

The Defense Landscape Is Thin

The paper surveys existing defenses and they don't paint a pretty picture:

  • Input filtering / sanitization: Brittle. Attackers trivially bypass keyword-based filters with encoding, obfuscation, or semantic paraphrase.
  • LLM-based detection: The same models that are fooled by injections are often tasked with detecting them. Meta-circularity doesn't work.
  • Sandboxing: Container-based isolation blocks the most dangerous commands, but at severe productivity cost. Most production deployments aren't sandboxed.
  • Least-privilege principles: Theoretically sound, practically ignored. Most agents are given broad filesystem and tool access because restricting them makes them less useful.

The paper's conclusion is that "defense-in-depth" and "architectural separation" — policy gates, audit logging, human-in-the-loop checkpoints — are more promising than trying to fix the LLM's instruction/data confusion directly.

Why This Matters

We are building the next generation of software development infrastructure on top of agentic AI. The code these agents write is going into production systems. The commands they execute are running on developer laptops and CI/CD pipelines. The files they read include credentials, certificates, and proprietary IP.

If 85% of attacks succeed against best defenses, we have a serious production security problem that is currently being papered over by security theater. The fact that we haven't seen mass exploitation yet is partly luck and partly the fact that most sophisticated attackers haven't optimized for this attack surface yet. That won't last.

This paper is also important because it's the first comprehensive map of the attack surface. Previous work focused on individual attack types in isolation. The SoK framing — synthesizing 78 studies into a coherent taxonomy — gives defenders something they can actually build against.

Comic strip

My Take

I've been building with agentic coding tools for over a year. And I'll be blunt: the security assumptions baked into most deployments are naive. Teams that are letting Claude Code or Copilot run with broad filesystem access on developer machines, without audit logging, without sandboxing, without prompt integrity guarantees — they are running an uncontrolled security experiment.

The 85% attack success rate isn't the number that scares me most. It's the self-propagating attacks. The moment you have an AI agent that can read and write files and its behavior can be altered by what it reads, you have the ingredients for an AI-native worm. We haven't seen one in the wild yet. This paper shows we have all the components.

What needs to happen? Three things, urgently:

  1. Standardized sandboxing for agentic coding tools, similar to browser security models. The MCP protocol is growing fast; it needs a security profile to match.
  2. Cryptographic prompt integrity — a way to mark system prompt content as trusted so it's processed differently from user-provided or tool-retrieved content.
  3. Mandatory audit logging for all agentic actions, with human review gates for high-privilege operations.

The paper ends with a call for "defense-in-depth and architectural separation." I'd go further: we need to treat agentic coding tools as network-connected software running in our most sensitive environments, because that's exactly what they are. The security model needs to match the threat model.

Until the field catches up, my practice is simple: always sandbox agents, always review their full action logs, never grant write access to sensitive paths, and treat any code an agent has touched as potentially malicious until reviewed. It's inconvenient. It's also correct.

Paper: "Prompt Injection Attacks on Agentic Coding Assistants: A Systematic Analysis of Vulnerabilities in Skills, Tools, and Protocol Ecosystems" — arXiv:2601.17548 (January 2026)